Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 02:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe
-
Size
59KB
-
MD5
cd598703a6d2a765905b9c9d57ad1d51
-
SHA1
3d63530fc3215127fc52bc4cdbcd647626879199
-
SHA256
c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a
-
SHA512
3ffcacf2dbb419047ef7341bd2c724f8db0d7ee8ec2a01839067cf61853e28c308c5dd0ca51ccee43e6c769ac665cdc683064a2d68072ed4a78aecec571120b7
-
SSDEEP
1536:+5kEQ99kj8SZAbY4hXF2TyVzUi3nW/T18q12LHO:wj8SZohXguUi3nWTyqmHO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnkcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eggndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgffe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfoghakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnebjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpogbgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcacc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgamdef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndlem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqnkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqonbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbaaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmicfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaken32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlelhe32.exe -
Executes dropped EXE 64 IoCs
pid Process 2380 Fchijone.exe 2384 Fffefjmi.exe 2472 Fjbafi32.exe 2888 Fheabelm.exe 2748 Ffibkj32.exe 2976 Fmcjhdbc.exe 2352 Fcmben32.exe 2260 Fdnolfon.exe 676 Fkhgip32.exe 792 Fbbofjnh.exe 2676 Fdpkbf32.exe 1428 Fgohna32.exe 324 Fnipkkdl.exe 2164 Fdbhge32.exe 580 Fgadda32.exe 1500 Gjpqpl32.exe 2464 Gqiimfam.exe 3008 Gcheib32.exe 2564 Ggcaiqhj.exe 1096 Gjbmelgm.exe 2144 Gqlebf32.exe 900 Gcjbna32.exe 2232 Ggfnopfg.exe 2300 Gjdjklek.exe 1808 Gnpflj32.exe 3036 Gcmoda32.exe 2876 Gfkkpmko.exe 2752 Gmecmg32.exe 1964 Gbaken32.exe 2896 Gjicfk32.exe 2760 Gljpncgc.exe 2612 Gpelnb32.exe 2236 Hfpdkl32.exe 2792 Hmjlhfof.exe 320 Hnkion32.exe 780 Hbfepmmn.exe 2956 Hhcmhdke.exe 1960 Hnmeen32.exe 2656 Halbai32.exe 2536 Hibjbgbh.exe 1592 Hjdfjo32.exe 2296 Hbknkl32.exe 3016 Hanogipc.exe 1628 Hdlkcdog.exe 2040 Hlccdboi.exe 2452 Hmeolj32.exe 912 Hhjcic32.exe 1196 Hjipenda.exe 1204 Hndlem32.exe 1468 Iabhah32.exe 2816 Ipehmebh.exe 2868 Ihmpobck.exe 2732 Ifoqjo32.exe 2620 Ijklknbn.exe 1012 Iinmfk32.exe 1256 Imiigiab.exe 992 Imiigiab.exe 2964 Iaeegh32.exe 1684 Iphecepe.exe 2096 Idcacc32.exe 2152 Ibfaopoi.exe 948 Ifampo32.exe 2596 Ijmipn32.exe 1640 Iipiljgf.exe -
Loads dropped DLL 64 IoCs
pid Process 632 c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe 632 c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe 2380 Fchijone.exe 2380 Fchijone.exe 2384 Fffefjmi.exe 2384 Fffefjmi.exe 2472 Fjbafi32.exe 2472 Fjbafi32.exe 2888 Fheabelm.exe 2888 Fheabelm.exe 2748 Ffibkj32.exe 2748 Ffibkj32.exe 2976 Fmcjhdbc.exe 2976 Fmcjhdbc.exe 2352 Fcmben32.exe 2352 Fcmben32.exe 2260 Fdnolfon.exe 2260 Fdnolfon.exe 676 Fkhgip32.exe 676 Fkhgip32.exe 792 Fbbofjnh.exe 792 Fbbofjnh.exe 2676 Fdpkbf32.exe 2676 Fdpkbf32.exe 1428 Fgohna32.exe 1428 Fgohna32.exe 324 Fnipkkdl.exe 324 Fnipkkdl.exe 2164 Fdbhge32.exe 2164 Fdbhge32.exe 580 Fgadda32.exe 580 Fgadda32.exe 1500 Gjpqpl32.exe 1500 Gjpqpl32.exe 2464 Gqiimfam.exe 2464 Gqiimfam.exe 3008 Gcheib32.exe 3008 Gcheib32.exe 2564 Ggcaiqhj.exe 2564 Ggcaiqhj.exe 1096 Gjbmelgm.exe 1096 Gjbmelgm.exe 2144 Gqlebf32.exe 2144 Gqlebf32.exe 900 Gcjbna32.exe 900 Gcjbna32.exe 2232 Ggfnopfg.exe 2232 Ggfnopfg.exe 2300 Gjdjklek.exe 2300 Gjdjklek.exe 1808 Gnpflj32.exe 1808 Gnpflj32.exe 3036 Gcmoda32.exe 3036 Gcmoda32.exe 2876 Gfkkpmko.exe 2876 Gfkkpmko.exe 2752 Gmecmg32.exe 2752 Gmecmg32.exe 1964 Gbaken32.exe 1964 Gbaken32.exe 2896 Gjicfk32.exe 2896 Gjicfk32.exe 2760 Gljpncgc.exe 2760 Gljpncgc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Anbkipok.exe Aoojnc32.exe File opened for modification C:\Windows\SysWOW64\Dddimn32.exe Dafmqb32.exe File created C:\Windows\SysWOW64\Dcdgqq32.dll Ipeaco32.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Ioohokoo.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Clpabm32.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Eeaepd32.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Objaha32.exe File created C:\Windows\SysWOW64\Ckmqbj32.dll Npaich32.exe File created C:\Windows\SysWOW64\Dknajh32.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Gncldi32.exe Gkephn32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Alnalh32.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bigkel32.exe File created C:\Windows\SysWOW64\Mdkqhhpm.dll Knnkpobc.exe File created C:\Windows\SysWOW64\Ohagbj32.exe Oeckfndj.exe File created C:\Windows\SysWOW64\Mlfbgb32.dll Idkpganf.exe File created C:\Windows\SysWOW64\Mqdkghnj.dll Qgjccb32.exe File created C:\Windows\SysWOW64\Ihaiqn32.dll Obokcqhk.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pdbdqh32.exe File created C:\Windows\SysWOW64\Fkhabhbn.dll Bbeded32.exe File created C:\Windows\SysWOW64\Hbefdnjd.dll Ccpcckck.exe File created C:\Windows\SysWOW64\Emagacdm.exe Eiekpd32.exe File opened for modification C:\Windows\SysWOW64\Hifpke32.exe Hfhcoj32.exe File opened for modification C:\Windows\SysWOW64\Hcdnhoac.exe Hebnlb32.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kjokokha.exe File created C:\Windows\SysWOW64\Dbmiil32.dll Khabghdl.exe File created C:\Windows\SysWOW64\Lcomce32.exe Ldllgiek.exe File created C:\Windows\SysWOW64\Qaipli32.dll Olkfmi32.exe File created C:\Windows\SysWOW64\Jngafd32.dll Fhomkcoa.exe File created C:\Windows\SysWOW64\Jbefcm32.exe Jojkco32.exe File created C:\Windows\SysWOW64\Abpcooea.exe Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Ibfaopoi.exe Idcacc32.exe File created C:\Windows\SysWOW64\Nihqegkl.dll Ajqljc32.exe File created C:\Windows\SysWOW64\Demofaol.exe Daacecfc.exe File created C:\Windows\SysWOW64\Fajbke32.exe Folfoj32.exe File opened for modification C:\Windows\SysWOW64\Ihhcbf32.exe Iiecgjba.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Ackmih32.exe File created C:\Windows\SysWOW64\Aekeef32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Bibjaofg.dll Pohhna32.exe File created C:\Windows\SysWOW64\Phmaeh32.dll Njdqka32.exe File created C:\Windows\SysWOW64\Eeohkeoe.exe Eacljf32.exe File created C:\Windows\SysWOW64\Lklgbadb.exe Lhnkffeo.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe Ojomdoof.exe File created C:\Windows\SysWOW64\Fenjme32.dll Oalhqohl.exe File created C:\Windows\SysWOW64\Ecbbbh32.dll Cmfkfa32.exe File opened for modification C:\Windows\SysWOW64\Knkgpi32.exe Kjokokha.exe File created C:\Windows\SysWOW64\Dnbamjbm.dll Bgaebe32.exe File created C:\Windows\SysWOW64\Pkjphcff.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Bmbgfkje.exe Bigkel32.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Phcpgm32.exe Peedka32.exe File opened for modification C:\Windows\SysWOW64\Pejmfqan.exe Panaeb32.exe File created C:\Windows\SysWOW64\Apldjp32.dll Gblkoham.exe File created C:\Windows\SysWOW64\Ihdpbq32.exe Idicbbpi.exe File created C:\Windows\SysWOW64\Alihaioe.exe Qnghel32.exe File created C:\Windows\SysWOW64\Jqojeand.dll Gjdjklek.exe File created C:\Windows\SysWOW64\Qqfkln32.exe Qngopb32.exe File created C:\Windows\SysWOW64\Pkfope32.dll Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Jampjian.exe Jondnnbk.exe File created C:\Windows\SysWOW64\Bofgii32.exe Bkklhjnk.exe File created C:\Windows\SysWOW64\Goiebopf.dll Iihiphln.exe File created C:\Windows\SysWOW64\Oncobd32.dll Kaajei32.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Ofadnq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9144 9112 WerFault.exe 857 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkkbmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfognic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnpkmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeckfndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdihhag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoqqflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblcfnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbpbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieigfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anneqafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgfnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkcpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgnkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgbkbjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffibkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcijf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankojf32.dll" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkenb32.dll" Oajlkojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilfnc32.dll" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfgpl32.dll" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaohl32.dll" Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgknkqan.dll" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmaeh32.dll" Njdqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmgamof.dll" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfjmfen.dll" Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkkbmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikifegp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgalkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkkdd32.dll" Ajeeeblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klpdaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qobbofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlfhkoa.dll" Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldlhdpl.dll" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogkdiemp.dll" Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjleflod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofphfof.dll" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiekpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll" Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioloda32.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfliim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllbljej.dll" Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgfcja32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 2380 632 c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe 30 PID 632 wrote to memory of 2380 632 c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe 30 PID 632 wrote to memory of 2380 632 c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe 30 PID 632 wrote to memory of 2380 632 c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe 30 PID 2380 wrote to memory of 2384 2380 Fchijone.exe 31 PID 2380 wrote to memory of 2384 2380 Fchijone.exe 31 PID 2380 wrote to memory of 2384 2380 Fchijone.exe 31 PID 2380 wrote to memory of 2384 2380 Fchijone.exe 31 PID 2384 wrote to memory of 2472 2384 Fffefjmi.exe 32 PID 2384 wrote to memory of 2472 2384 Fffefjmi.exe 32 PID 2384 wrote to memory of 2472 2384 Fffefjmi.exe 32 PID 2384 wrote to memory of 2472 2384 Fffefjmi.exe 32 PID 2472 wrote to memory of 2888 2472 Fjbafi32.exe 33 PID 2472 wrote to memory of 2888 2472 Fjbafi32.exe 33 PID 2472 wrote to memory of 2888 2472 Fjbafi32.exe 33 PID 2472 wrote to memory of 2888 2472 Fjbafi32.exe 33 PID 2888 wrote to memory of 2748 2888 Fheabelm.exe 34 PID 2888 wrote to memory of 2748 2888 Fheabelm.exe 34 PID 2888 wrote to memory of 2748 2888 Fheabelm.exe 34 PID 2888 wrote to memory of 2748 2888 Fheabelm.exe 34 PID 2748 wrote to memory of 2976 2748 Ffibkj32.exe 35 PID 2748 wrote to memory of 2976 2748 Ffibkj32.exe 35 PID 2748 wrote to memory of 2976 2748 Ffibkj32.exe 35 PID 2748 wrote to memory of 2976 2748 Ffibkj32.exe 35 PID 2976 wrote to memory of 2352 2976 Fmcjhdbc.exe 36 PID 2976 wrote to memory of 2352 2976 Fmcjhdbc.exe 36 PID 2976 wrote to memory of 2352 2976 Fmcjhdbc.exe 36 PID 2976 wrote to memory of 2352 2976 Fmcjhdbc.exe 36 PID 2352 wrote to memory of 2260 2352 Fcmben32.exe 37 PID 2352 wrote to memory of 2260 2352 Fcmben32.exe 37 PID 2352 wrote to memory of 2260 2352 Fcmben32.exe 37 PID 2352 wrote to memory of 2260 2352 Fcmben32.exe 37 PID 2260 wrote to memory of 676 2260 Fdnolfon.exe 38 PID 2260 wrote to memory of 676 2260 Fdnolfon.exe 38 PID 2260 wrote to memory of 676 2260 Fdnolfon.exe 38 PID 2260 wrote to memory of 676 2260 Fdnolfon.exe 38 PID 676 wrote to memory of 792 676 Fkhgip32.exe 39 PID 676 wrote to memory of 792 676 Fkhgip32.exe 39 PID 676 wrote to memory of 792 676 Fkhgip32.exe 39 PID 676 wrote to memory of 792 676 Fkhgip32.exe 39 PID 792 wrote to memory of 2676 792 Fbbofjnh.exe 40 PID 792 wrote to memory of 2676 792 Fbbofjnh.exe 40 PID 792 wrote to memory of 2676 792 Fbbofjnh.exe 40 PID 792 wrote to memory of 2676 792 Fbbofjnh.exe 40 PID 2676 wrote to memory of 1428 2676 Fdpkbf32.exe 41 PID 2676 wrote to memory of 1428 2676 Fdpkbf32.exe 41 PID 2676 wrote to memory of 1428 2676 Fdpkbf32.exe 41 PID 2676 wrote to memory of 1428 2676 Fdpkbf32.exe 41 PID 1428 wrote to memory of 324 1428 Fgohna32.exe 42 PID 1428 wrote to memory of 324 1428 Fgohna32.exe 42 PID 1428 wrote to memory of 324 1428 Fgohna32.exe 42 PID 1428 wrote to memory of 324 1428 Fgohna32.exe 42 PID 324 wrote to memory of 2164 324 Fnipkkdl.exe 43 PID 324 wrote to memory of 2164 324 Fnipkkdl.exe 43 PID 324 wrote to memory of 2164 324 Fnipkkdl.exe 43 PID 324 wrote to memory of 2164 324 Fnipkkdl.exe 43 PID 2164 wrote to memory of 580 2164 Fdbhge32.exe 44 PID 2164 wrote to memory of 580 2164 Fdbhge32.exe 44 PID 2164 wrote to memory of 580 2164 Fdbhge32.exe 44 PID 2164 wrote to memory of 580 2164 Fdbhge32.exe 44 PID 580 wrote to memory of 1500 580 Fgadda32.exe 45 PID 580 wrote to memory of 1500 580 Fgadda32.exe 45 PID 580 wrote to memory of 1500 580 Fgadda32.exe 45 PID 580 wrote to memory of 1500 580 Fgadda32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe"C:\Users\Admin\AppData\Local\Temp\c606b11f1122d8b8c80c47fa9578df18d87510bb8a896c1fce57f9ebb861fb1a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe33⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe35⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe36⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe37⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe38⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe41⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe42⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe43⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe45⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe47⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe48⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe49⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe51⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe52⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe53⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe54⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe55⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe56⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe57⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe58⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe60⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe63⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe64⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe65⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe66⤵PID:1108
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe67⤵PID:1404
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe68⤵PID:2080
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe69⤵PID:3044
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe70⤵PID:2836
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe71⤵PID:2724
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe72⤵PID:2784
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe74⤵PID:2288
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe75⤵PID:1376
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe76⤵PID:2880
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe78⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe79⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe80⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe81⤵PID:704
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe82⤵PID:1320
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe83⤵PID:1364
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe85⤵PID:2488
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe86⤵PID:2980
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe87⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe88⤵PID:2776
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe89⤵PID:2680
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe90⤵PID:2948
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe91⤵PID:1512
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe92⤵PID:764
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe93⤵PID:2092
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe94⤵PID:1520
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe95⤵PID:808
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe96⤵PID:996
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe97⤵PID:1780
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe98⤵PID:2412
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe99⤵PID:2480
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe101⤵PID:2728
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe103⤵PID:2268
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe104⤵PID:2972
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe105⤵PID:2224
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe107⤵PID:1280
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe109⤵PID:2104
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe110⤵PID:1716
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe112⤵PID:3056
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe113⤵PID:2740
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe114⤵PID:2812
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe115⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe116⤵PID:1792
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe119⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe120⤵PID:1944
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-