Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 02:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe
-
Size
112KB
-
MD5
a31db3e931f77e99a9a346e88c8e3ac7
-
SHA1
ca469e5043e9a2828706d061ed633d3c2f9bb3f0
-
SHA256
c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db
-
SHA512
dcb7c029998a925a22269d56181e5119946450c5872cd2a7c8bcef93c1e3f5eb9545b668befc3c8071961623e6845ba33d5babd5fd6265ca2aa71409042378ee
-
SSDEEP
3072:VYHj3++GgH3MQH2qC7ZQOlzSLUK6MwGsGnDc9o:VYHjHH3MQWfdQOhwJ6MwGsw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiijnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhohda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckoam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqacic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcpjmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpnhdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe -
Executes dropped EXE 64 IoCs
pid Process 3020 Fglipi32.exe 2688 Fnfamcoj.exe 2620 Fbamma32.exe 2784 Fepiimfg.exe 2544 Fagjnn32.exe 2960 Fcefji32.exe 1824 Fnkjhb32.exe 1504 Fmmkcoap.exe 2832 Gedbdlbb.exe 1288 Gdgcpi32.exe 1236 Gffoldhp.exe 1148 Gjakmc32.exe 1432 Gakcimgf.exe 2020 Gpncej32.exe 1864 Ghelfg32.exe 2132 Gfhladfn.exe 1972 Gmbdnn32.exe 812 Gpqpjj32.exe 1040 Gdllkhdg.exe 944 Gfjhgdck.exe 1740 Giieco32.exe 3052 Gdniqh32.exe 2408 Gepehphc.exe 1956 Gmgninie.exe 2284 Gljnej32.exe 2788 Gbcfadgl.exe 2692 Ghqnjk32.exe 2500 Hpgfki32.exe 2520 Hojgfemq.exe 696 Haiccald.exe 2588 Hipkdnmf.exe 2252 Hlngpjlj.exe 1360 Hbhomd32.exe 2472 Heglio32.exe 860 Hhehek32.exe 2844 Hkcdafqb.exe 1304 Hoopae32.exe 1136 Hmbpmapf.exe 2796 Heihnoph.exe 1308 Hdlhjl32.exe 1400 Hhgdkjol.exe 2928 Hgjefg32.exe 1328 Hkfagfop.exe 3004 Hmdmcanc.exe 2940 Hapicp32.exe 888 Hpbiommg.exe 308 Hhjapjmi.exe 916 Hhjapjmi.exe 2904 Hgmalg32.exe 2504 Hkhnle32.exe 1760 Hiknhbcg.exe 2296 Hmfjha32.exe 2868 Habfipdj.exe 2524 Hdqbekcm.exe 1648 Hdqbekcm.exe 2028 Iccbqh32.exe 2372 Igonafba.exe 2176 Ikkjbe32.exe 2828 Iimjmbae.exe 2528 Inifnq32.exe 2772 Illgimph.exe 2912 Idcokkak.exe 2064 Idcokkak.exe 3016 Icfofg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2872 c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe 2872 c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe 3020 Fglipi32.exe 3020 Fglipi32.exe 2688 Fnfamcoj.exe 2688 Fnfamcoj.exe 2620 Fbamma32.exe 2620 Fbamma32.exe 2784 Fepiimfg.exe 2784 Fepiimfg.exe 2544 Fagjnn32.exe 2544 Fagjnn32.exe 2960 Fcefji32.exe 2960 Fcefji32.exe 1824 Fnkjhb32.exe 1824 Fnkjhb32.exe 1504 Fmmkcoap.exe 1504 Fmmkcoap.exe 2832 Gedbdlbb.exe 2832 Gedbdlbb.exe 1288 Gdgcpi32.exe 1288 Gdgcpi32.exe 1236 Gffoldhp.exe 1236 Gffoldhp.exe 1148 Gjakmc32.exe 1148 Gjakmc32.exe 1432 Gakcimgf.exe 1432 Gakcimgf.exe 2020 Gpncej32.exe 2020 Gpncej32.exe 1864 Ghelfg32.exe 1864 Ghelfg32.exe 2132 Gfhladfn.exe 2132 Gfhladfn.exe 1972 Gmbdnn32.exe 1972 Gmbdnn32.exe 812 Gpqpjj32.exe 812 Gpqpjj32.exe 1040 Gdllkhdg.exe 1040 Gdllkhdg.exe 944 Gfjhgdck.exe 944 Gfjhgdck.exe 1740 Giieco32.exe 1740 Giieco32.exe 3052 Gdniqh32.exe 3052 Gdniqh32.exe 2408 Gepehphc.exe 2408 Gepehphc.exe 1956 Gmgninie.exe 1956 Gmgninie.exe 2284 Gljnej32.exe 2284 Gljnej32.exe 2788 Gbcfadgl.exe 2788 Gbcfadgl.exe 2692 Ghqnjk32.exe 2692 Ghqnjk32.exe 2500 Hpgfki32.exe 2500 Hpgfki32.exe 2520 Hojgfemq.exe 2520 Hojgfemq.exe 696 Haiccald.exe 696 Haiccald.exe 2588 Hipkdnmf.exe 2588 Hipkdnmf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcgdenbm.dll Ncbplk32.exe File created C:\Windows\SysWOW64\Ffjmmbcg.dll Pkdgpo32.exe File created C:\Windows\SysWOW64\Mdghad32.dll Hpgfki32.exe File created C:\Windows\SysWOW64\Lmcmdd32.dll Okanklik.exe File created C:\Windows\SysWOW64\Okbekdoi.dll Aeenochi.exe File created C:\Windows\SysWOW64\Ajbggjfq.exe Afgkfl32.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Bedolome.dll Jnpinc32.exe File created C:\Windows\SysWOW64\Ocdmaj32.exe Nhohda32.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Oappcfmb.exe File created C:\Windows\SysWOW64\Jhgkeald.dll Bbdallnd.exe File opened for modification C:\Windows\SysWOW64\Hhgdkjol.exe Hdlhjl32.exe File created C:\Windows\SysWOW64\Jqilooij.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Mehjml32.dll Ncpcfkbg.exe File created C:\Windows\SysWOW64\Hbcicn32.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Moanaiie.exe Mieeibkn.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Boplllob.exe File created C:\Windows\SysWOW64\Mhdffl32.dll Jjdmmdnh.exe File opened for modification C:\Windows\SysWOW64\Lfmffhde.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Ikhbnkpn.dll Fepiimfg.exe File created C:\Windows\SysWOW64\Kfbcbd32.exe Knklagmb.exe File created C:\Windows\SysWOW64\Kpjhkjde.exe Kgcpjmcb.exe File created C:\Windows\SysWOW64\Gdgcpi32.exe Gedbdlbb.exe File created C:\Windows\SysWOW64\Hoikeh32.dll Gdniqh32.exe File created C:\Windows\SysWOW64\Hpggbq32.dll Afiglkle.exe File created C:\Windows\SysWOW64\Jghmfhmb.exe Jcmafj32.exe File created C:\Windows\SysWOW64\Kgcpjmcb.exe Keednado.exe File opened for modification C:\Windows\SysWOW64\Migbnb32.exe Mapjmehi.exe File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe Qodlkm32.exe File opened for modification C:\Windows\SysWOW64\Hmfjha32.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Bbgnak32.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Baadng32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Ihgainbg.exe Ijdqna32.exe File opened for modification C:\Windows\SysWOW64\Kconkibf.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Qflhbhgg.exe Qbplbi32.exe File opened for modification C:\Windows\SysWOW64\Jghmfhmb.exe Jcmafj32.exe File opened for modification C:\Windows\SysWOW64\Oqcpob32.exe Oappcfmb.exe File opened for modification C:\Windows\SysWOW64\Bbdallnd.exe Bpfeppop.exe File created C:\Windows\SysWOW64\Gdmlko32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Igonafba.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jbdonb32.exe File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe Blmfea32.exe File created C:\Windows\SysWOW64\Nfolbbmp.dll Bmclhi32.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Ihgainbg.exe File opened for modification C:\Windows\SysWOW64\Jkmcfhkc.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Aceobl32.dll Pokieo32.exe File created C:\Windows\SysWOW64\Qbbhgi32.exe Qodlkm32.exe File created C:\Windows\SysWOW64\Pcfefmnk.exe Pokieo32.exe File created C:\Windows\SysWOW64\Hdlhjl32.exe Heihnoph.exe File created C:\Windows\SysWOW64\Epecke32.dll Jqnejn32.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Amcpie32.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Pqemdbaj.exe Pmjqcc32.exe File created C:\Windows\SysWOW64\Bpfeppop.exe Bmhideol.exe File opened for modification C:\Windows\SysWOW64\Gpncej32.exe Gakcimgf.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gpncej32.exe File created C:\Windows\SysWOW64\Mbbcbk32.dll Iimjmbae.exe File created C:\Windows\SysWOW64\Keednado.exe Kfbcbd32.exe File created C:\Windows\SysWOW64\Mmjhjhkh.dll Gfhladfn.exe File created C:\Windows\SysWOW64\Dempblao.dll Inifnq32.exe File created C:\Windows\SysWOW64\Oappcfmb.exe Ojigbhlp.exe File opened for modification C:\Windows\SysWOW64\Boplllob.exe Blaopqpo.exe File created C:\Windows\SysWOW64\Cfgheegc.dll Balkchpi.exe File opened for modification C:\Windows\SysWOW64\Fmmkcoap.exe Fnkjhb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4204 4180 WerFault.exe 335 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfiale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdmmdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhajdblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegbheiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apalea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkacb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocflgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kincipnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfmfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqacic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojigbhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocalkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igonafba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illgimph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdqna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnfnfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonoflae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcfadgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpndnei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaiqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgalqkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nekbmgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmojocel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmlhchd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlhnagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhohda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqcpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkhpkoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlngpjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijdocfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idnaoohk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmikibio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiladcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbcfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojgfemq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkjbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoafmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkidlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igchlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haiccald.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqilooij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndemjoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckoam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagjnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkglameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iheddndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfigjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgpbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kconkibf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmplcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll" Ocalkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcefji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll" Pbkbgjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll" Bbikgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodahd32.dll" Igonafba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqahbgm.dll" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocalkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Becnhgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdffl32.dll" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Lphhenhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhbnkpn.dll" Fepiimfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhohda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjqcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmojocel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiddiab.dll" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffoldhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" Mbpgggol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3020 2872 c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe 28 PID 2872 wrote to memory of 3020 2872 c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe 28 PID 2872 wrote to memory of 3020 2872 c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe 28 PID 2872 wrote to memory of 3020 2872 c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe 28 PID 3020 wrote to memory of 2688 3020 Fglipi32.exe 29 PID 3020 wrote to memory of 2688 3020 Fglipi32.exe 29 PID 3020 wrote to memory of 2688 3020 Fglipi32.exe 29 PID 3020 wrote to memory of 2688 3020 Fglipi32.exe 29 PID 2688 wrote to memory of 2620 2688 Fnfamcoj.exe 30 PID 2688 wrote to memory of 2620 2688 Fnfamcoj.exe 30 PID 2688 wrote to memory of 2620 2688 Fnfamcoj.exe 30 PID 2688 wrote to memory of 2620 2688 Fnfamcoj.exe 30 PID 2620 wrote to memory of 2784 2620 Fbamma32.exe 31 PID 2620 wrote to memory of 2784 2620 Fbamma32.exe 31 PID 2620 wrote to memory of 2784 2620 Fbamma32.exe 31 PID 2620 wrote to memory of 2784 2620 Fbamma32.exe 31 PID 2784 wrote to memory of 2544 2784 Fepiimfg.exe 32 PID 2784 wrote to memory of 2544 2784 Fepiimfg.exe 32 PID 2784 wrote to memory of 2544 2784 Fepiimfg.exe 32 PID 2784 wrote to memory of 2544 2784 Fepiimfg.exe 32 PID 2544 wrote to memory of 2960 2544 Fagjnn32.exe 33 PID 2544 wrote to memory of 2960 2544 Fagjnn32.exe 33 PID 2544 wrote to memory of 2960 2544 Fagjnn32.exe 33 PID 2544 wrote to memory of 2960 2544 Fagjnn32.exe 33 PID 2960 wrote to memory of 1824 2960 Fcefji32.exe 34 PID 2960 wrote to memory of 1824 2960 Fcefji32.exe 34 PID 2960 wrote to memory of 1824 2960 Fcefji32.exe 34 PID 2960 wrote to memory of 1824 2960 Fcefji32.exe 34 PID 1824 wrote to memory of 1504 1824 Fnkjhb32.exe 35 PID 1824 wrote to memory of 1504 1824 Fnkjhb32.exe 35 PID 1824 wrote to memory of 1504 1824 Fnkjhb32.exe 35 PID 1824 wrote to memory of 1504 1824 Fnkjhb32.exe 35 PID 1504 wrote to memory of 2832 1504 Fmmkcoap.exe 36 PID 1504 wrote to memory of 2832 1504 Fmmkcoap.exe 36 PID 1504 wrote to memory of 2832 1504 Fmmkcoap.exe 36 PID 1504 wrote to memory of 2832 1504 Fmmkcoap.exe 36 PID 2832 wrote to memory of 1288 2832 Gedbdlbb.exe 37 PID 2832 wrote to memory of 1288 2832 Gedbdlbb.exe 37 PID 2832 wrote to memory of 1288 2832 Gedbdlbb.exe 37 PID 2832 wrote to memory of 1288 2832 Gedbdlbb.exe 37 PID 1288 wrote to memory of 1236 1288 Gdgcpi32.exe 38 PID 1288 wrote to memory of 1236 1288 Gdgcpi32.exe 38 PID 1288 wrote to memory of 1236 1288 Gdgcpi32.exe 38 PID 1288 wrote to memory of 1236 1288 Gdgcpi32.exe 38 PID 1236 wrote to memory of 1148 1236 Gffoldhp.exe 39 PID 1236 wrote to memory of 1148 1236 Gffoldhp.exe 39 PID 1236 wrote to memory of 1148 1236 Gffoldhp.exe 39 PID 1236 wrote to memory of 1148 1236 Gffoldhp.exe 39 PID 1148 wrote to memory of 1432 1148 Gjakmc32.exe 40 PID 1148 wrote to memory of 1432 1148 Gjakmc32.exe 40 PID 1148 wrote to memory of 1432 1148 Gjakmc32.exe 40 PID 1148 wrote to memory of 1432 1148 Gjakmc32.exe 40 PID 1432 wrote to memory of 2020 1432 Gakcimgf.exe 41 PID 1432 wrote to memory of 2020 1432 Gakcimgf.exe 41 PID 1432 wrote to memory of 2020 1432 Gakcimgf.exe 41 PID 1432 wrote to memory of 2020 1432 Gakcimgf.exe 41 PID 2020 wrote to memory of 1864 2020 Gpncej32.exe 42 PID 2020 wrote to memory of 1864 2020 Gpncej32.exe 42 PID 2020 wrote to memory of 1864 2020 Gpncej32.exe 42 PID 2020 wrote to memory of 1864 2020 Gpncej32.exe 42 PID 1864 wrote to memory of 2132 1864 Ghelfg32.exe 43 PID 1864 wrote to memory of 2132 1864 Ghelfg32.exe 43 PID 1864 wrote to memory of 2132 1864 Ghelfg32.exe 43 PID 1864 wrote to memory of 2132 1864 Ghelfg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe"C:\Users\Admin\AppData\Local\Temp\c0ca67ef612ec50b6dc31781dcc0cbcdc39e968d5c9b6146d51fecfe532070db.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe36⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe37⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe44⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe45⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe46⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe47⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe48⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe50⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe53⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe55⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe56⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe57⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe63⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe64⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe65⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe66⤵PID:2680
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe69⤵PID:688
-
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe72⤵PID:2512
-
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe74⤵PID:2964
-
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe75⤵PID:2564
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe76⤵PID:884
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe78⤵PID:1616
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe79⤵PID:1832
-
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe82⤵PID:1356
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe85⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe87⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe89⤵PID:2640
-
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe91⤵PID:2404
-
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe92⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe93⤵PID:772
-
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe95⤵PID:1816
-
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe96⤵PID:2804
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe98⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe99⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe100⤵PID:2076
-
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe101⤵PID:2988
-
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe102⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe103⤵PID:2812
-
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe104⤵PID:2760
-
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe105⤵PID:1224
-
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe107⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe108⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe109⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe111⤵PID:2896
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe113⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe114⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe115⤵PID:2112
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe116⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe117⤵PID:2764
-
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-