Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 13:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c55edab27c03e6ffb7bf7aaf1a862310N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c55edab27c03e6ffb7bf7aaf1a862310N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c55edab27c03e6ffb7bf7aaf1a862310N.exe
-
Size
94KB
-
MD5
c55edab27c03e6ffb7bf7aaf1a862310
-
SHA1
4c4d542846eeb0d3eb399cf77ecb49d89b9f384d
-
SHA256
7f08987fa309fb5b21c98ba54e4c5d8bf12bd5ba45a042572242a3f369ec10ee
-
SHA512
9dd1f5d48ec97aa50e5ef29507efa42a873c2fd9746a665c14e91f09b704fefa13aed64f94f94abc6ad3a250b325b0ab943c042bd6c4ff27ed36ada4c72a31e3
-
SSDEEP
1536:hvDyHwUyCyJ4Uos/3Ugaw7Y2LjaIZTJ+7LhkiB0MPiKeEAgv:hvDyHbiJd6gaw9jaMU7uihJ5v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbbjpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beackp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnaooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeecogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjeialg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbpde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaebkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlmmfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idadnd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2348 Fjbafi32.exe 2104 Flqmbd32.exe 2280 Foojop32.exe 2884 Fbmfkkbm.exe 2812 Foafdoag.exe 2764 Fhikme32.exe 2556 Fkhgip32.exe 576 Filgbdfd.exe 2860 Fkjdopeh.exe 1488 Fkmqdpce.exe 2500 Gnkmqkbi.exe 1968 Gcheib32.exe 2908 Gnmifk32.exe 2540 Gfhnjm32.exe 1672 Gnpflj32.exe 2576 Gpabcbdb.exe 272 Giiglhjb.exe 1844 Gjicfk32.exe 1540 Gmgpbf32.exe 3052 Gljpncgc.exe 1712 Hfpdkl32.exe 2364 Hbfepmmn.exe 296 Hfbaql32.exe 2376 Hpjeialg.exe 2688 Hnmeen32.exe 2852 Hhejnc32.exe 2768 Hlafnbal.exe 1784 Hanogipc.exe 2644 Hjfcpo32.exe 1856 Hapklimq.exe 1584 Hdoghdmd.exe 1156 Hndlem32.exe 1660 Hmglajcd.exe 2912 Idadnd32.exe 1984 Ihmpobck.exe 2964 Ifoqjo32.exe 2084 Ijklknbn.exe 2996 Iinmfk32.exe 1128 Iaeegh32.exe 2120 Iphecepe.exe 1072 Idcacc32.exe 1656 Ifampo32.exe 1720 Iipiljgf.exe 1088 Iipiljgf.exe 1272 Ilofhffj.exe 2056 Ipjahd32.exe 2244 Idfnicfl.exe 2296 Ibhndp32.exe 2164 Iegjqk32.exe 280 Iibfajdc.exe 2864 Iplnnd32.exe 2060 Ihhcbf32.exe 808 Ioakoq32.exe 768 Ibmgpoia.exe 2656 Iigpli32.exe 752 Jlelhe32.exe 2956 Jkhldafl.exe 580 Jbpdeogo.exe 2144 Jenpajfb.exe 1988 Jhlmmfef.exe 2052 Jkkija32.exe 1916 Jkkija32.exe 1864 Jofejpmc.exe 644 Jepmgj32.exe -
Loads dropped DLL 64 IoCs
pid Process 3068 c55edab27c03e6ffb7bf7aaf1a862310N.exe 3068 c55edab27c03e6ffb7bf7aaf1a862310N.exe 2348 Fjbafi32.exe 2348 Fjbafi32.exe 2104 Flqmbd32.exe 2104 Flqmbd32.exe 2280 Foojop32.exe 2280 Foojop32.exe 2884 Fbmfkkbm.exe 2884 Fbmfkkbm.exe 2812 Foafdoag.exe 2812 Foafdoag.exe 2764 Fhikme32.exe 2764 Fhikme32.exe 2556 Fkhgip32.exe 2556 Fkhgip32.exe 576 Filgbdfd.exe 576 Filgbdfd.exe 2860 Fkjdopeh.exe 2860 Fkjdopeh.exe 1488 Fkmqdpce.exe 1488 Fkmqdpce.exe 2500 Gnkmqkbi.exe 2500 Gnkmqkbi.exe 1968 Gcheib32.exe 1968 Gcheib32.exe 2908 Gnmifk32.exe 2908 Gnmifk32.exe 2540 Gfhnjm32.exe 2540 Gfhnjm32.exe 1672 Gnpflj32.exe 1672 Gnpflj32.exe 2576 Gpabcbdb.exe 2576 Gpabcbdb.exe 272 Giiglhjb.exe 272 Giiglhjb.exe 1844 Gjicfk32.exe 1844 Gjicfk32.exe 1540 Gmgpbf32.exe 1540 Gmgpbf32.exe 3052 Gljpncgc.exe 3052 Gljpncgc.exe 1712 Hfpdkl32.exe 1712 Hfpdkl32.exe 2364 Hbfepmmn.exe 2364 Hbfepmmn.exe 296 Hfbaql32.exe 296 Hfbaql32.exe 2376 Hpjeialg.exe 2376 Hpjeialg.exe 2688 Hnmeen32.exe 2688 Hnmeen32.exe 2852 Hhejnc32.exe 2852 Hhejnc32.exe 2768 Hlafnbal.exe 2768 Hlafnbal.exe 1784 Hanogipc.exe 1784 Hanogipc.exe 2644 Hjfcpo32.exe 2644 Hjfcpo32.exe 1856 Hapklimq.exe 1856 Hapklimq.exe 1584 Hdoghdmd.exe 1584 Hdoghdmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Abbfnh32.dll Fkmqdpce.exe File created C:\Windows\SysWOW64\Epnlhaii.dll Mchoid32.exe File created C:\Windows\SysWOW64\Gnmifk32.exe Gcheib32.exe File created C:\Windows\SysWOW64\Pmclka32.dll Ijklknbn.exe File opened for modification C:\Windows\SysWOW64\Ajnpecbj.exe Akkoig32.exe File created C:\Windows\SysWOW64\Hjfcpo32.exe Hanogipc.exe File created C:\Windows\SysWOW64\Nmnclmoj.exe Nnkcpq32.exe File created C:\Windows\SysWOW64\Kdlbfien.dll Ajnpecbj.exe File opened for modification C:\Windows\SysWOW64\Bflbigdb.exe Bcmfmlen.exe File opened for modification C:\Windows\SysWOW64\Llgjaeoj.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Aojabdlf.exe Allefimb.exe File created C:\Windows\SysWOW64\Nplbqgdb.dll Mpamde32.exe File created C:\Windows\SysWOW64\Nbngca32.dll Pjcmap32.exe File created C:\Windows\SysWOW64\Ehkhaqpk.exe Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Pbagipfi.exe Pkjphcff.exe File created C:\Windows\SysWOW64\Dfqnol32.dll Qpbglhjq.exe File created C:\Windows\SysWOW64\Cehfkb32.exe Cbiiog32.exe File created C:\Windows\SysWOW64\Iigpli32.exe Ibmgpoia.exe File opened for modification C:\Windows\SysWOW64\Khoebi32.exe Kfpifm32.exe File opened for modification C:\Windows\SysWOW64\Aobnniji.exe Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Bammlq32.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Hjhmbnfb.dll Cjgoje32.exe File created C:\Windows\SysWOW64\Dkejof32.dll Meoell32.exe File created C:\Windows\SysWOW64\Bljbql32.dll Pkdihhag.exe File opened for modification C:\Windows\SysWOW64\Fdkklp32.exe Famope32.exe File created C:\Windows\SysWOW64\Gphfihaj.dll Ijnbcmkk.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Kongke32.dll Nibqqh32.exe File created C:\Windows\SysWOW64\Pfebhg32.dll Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Agolnbok.exe Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Nmnclmoj.exe Nnkcpq32.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Ifkloned.dll Qngopb32.exe File created C:\Windows\SysWOW64\Feglhlfm.dll Eejopecj.exe File created C:\Windows\SysWOW64\Ghajacmo.exe Gjojef32.exe File created C:\Windows\SysWOW64\Gnfnae32.dll Mmgfqh32.exe File created C:\Windows\SysWOW64\Genddmep.dll Odjdmjgo.exe File created C:\Windows\SysWOW64\Kncinl32.dll Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Cpiqmlfm.exe Ciohqa32.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Giipab32.exe File opened for modification C:\Windows\SysWOW64\Gcbabpcf.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Nloone32.dll Calcpm32.exe File created C:\Windows\SysWOW64\Hpdqdddf.dll Jgfcja32.exe File opened for modification C:\Windows\SysWOW64\Lfpeeqig.exe Lgmeid32.exe File created C:\Windows\SysWOW64\Fcikef32.dll Miehak32.exe File created C:\Windows\SysWOW64\Kdfkqifa.dll Mnbpjb32.exe File created C:\Windows\SysWOW64\Ajgbkbjp.exe Aflfjc32.exe File created C:\Windows\SysWOW64\Ilofhffj.exe Iipiljgf.exe File opened for modification C:\Windows\SysWOW64\Ghajacmo.exe Gjojef32.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Bkegah32.exe File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Kkoncdcp.exe File opened for modification C:\Windows\SysWOW64\Bnldjekl.exe Boidnh32.exe File opened for modification C:\Windows\SysWOW64\Jlphbbbg.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Mkndhabp.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Klhemhpk.exe Khlili32.exe File created C:\Windows\SysWOW64\Mfihkoal.exe Mbnljqic.exe File created C:\Windows\SysWOW64\Qdojgmfe.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Copjdhib.exe Clbnhmjo.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Neqnqofm.exe Nfnneb32.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Ihpfgalh.exe File created C:\Windows\SysWOW64\Kjmnjkjd.exe Kkjnnn32.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Objaha32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8140 8112 WerFault.exe 749 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcbgkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filgbdfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kohnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dacpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaglmcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piqpkpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbniid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beackp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgbkbjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklgbadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmpobck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnnko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkndb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmalldcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfebnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfaldbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foafdoag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmagfog.dll" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goplilpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahmmdf.dll" Kofaicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejmfqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakgefqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbgfkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iigpli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khoebi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjmijme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndoim32.dll" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofjqboi.dll" Jfliim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglfle32.dll" Mbkpeake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnooiab.dll" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpkbn32.dll" Jliaac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igogan32.dll" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfdhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljiqocb.dll" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" Cileqlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbdfpji.dll" Klehgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdjea32.dll" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenjme32.dll" Oalhqohl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihdpbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kokjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnin32.dll" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbepdhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajbniie.dll" Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplkimih.dll" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjbafi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2348 3068 c55edab27c03e6ffb7bf7aaf1a862310N.exe 30 PID 3068 wrote to memory of 2348 3068 c55edab27c03e6ffb7bf7aaf1a862310N.exe 30 PID 3068 wrote to memory of 2348 3068 c55edab27c03e6ffb7bf7aaf1a862310N.exe 30 PID 3068 wrote to memory of 2348 3068 c55edab27c03e6ffb7bf7aaf1a862310N.exe 30 PID 2348 wrote to memory of 2104 2348 Fjbafi32.exe 31 PID 2348 wrote to memory of 2104 2348 Fjbafi32.exe 31 PID 2348 wrote to memory of 2104 2348 Fjbafi32.exe 31 PID 2348 wrote to memory of 2104 2348 Fjbafi32.exe 31 PID 2104 wrote to memory of 2280 2104 Flqmbd32.exe 32 PID 2104 wrote to memory of 2280 2104 Flqmbd32.exe 32 PID 2104 wrote to memory of 2280 2104 Flqmbd32.exe 32 PID 2104 wrote to memory of 2280 2104 Flqmbd32.exe 32 PID 2280 wrote to memory of 2884 2280 Foojop32.exe 33 PID 2280 wrote to memory of 2884 2280 Foojop32.exe 33 PID 2280 wrote to memory of 2884 2280 Foojop32.exe 33 PID 2280 wrote to memory of 2884 2280 Foojop32.exe 33 PID 2884 wrote to memory of 2812 2884 Fbmfkkbm.exe 34 PID 2884 wrote to memory of 2812 2884 Fbmfkkbm.exe 34 PID 2884 wrote to memory of 2812 2884 Fbmfkkbm.exe 34 PID 2884 wrote to memory of 2812 2884 Fbmfkkbm.exe 34 PID 2812 wrote to memory of 2764 2812 Foafdoag.exe 35 PID 2812 wrote to memory of 2764 2812 Foafdoag.exe 35 PID 2812 wrote to memory of 2764 2812 Foafdoag.exe 35 PID 2812 wrote to memory of 2764 2812 Foafdoag.exe 35 PID 2764 wrote to memory of 2556 2764 Fhikme32.exe 36 PID 2764 wrote to memory of 2556 2764 Fhikme32.exe 36 PID 2764 wrote to memory of 2556 2764 Fhikme32.exe 36 PID 2764 wrote to memory of 2556 2764 Fhikme32.exe 36 PID 2556 wrote to memory of 576 2556 Fkhgip32.exe 37 PID 2556 wrote to memory of 576 2556 Fkhgip32.exe 37 PID 2556 wrote to memory of 576 2556 Fkhgip32.exe 37 PID 2556 wrote to memory of 576 2556 Fkhgip32.exe 37 PID 576 wrote to memory of 2860 576 Filgbdfd.exe 38 PID 576 wrote to memory of 2860 576 Filgbdfd.exe 38 PID 576 wrote to memory of 2860 576 Filgbdfd.exe 38 PID 576 wrote to memory of 2860 576 Filgbdfd.exe 38 PID 2860 wrote to memory of 1488 2860 Fkjdopeh.exe 39 PID 2860 wrote to memory of 1488 2860 Fkjdopeh.exe 39 PID 2860 wrote to memory of 1488 2860 Fkjdopeh.exe 39 PID 2860 wrote to memory of 1488 2860 Fkjdopeh.exe 39 PID 1488 wrote to memory of 2500 1488 Fkmqdpce.exe 40 PID 1488 wrote to memory of 2500 1488 Fkmqdpce.exe 40 PID 1488 wrote to memory of 2500 1488 Fkmqdpce.exe 40 PID 1488 wrote to memory of 2500 1488 Fkmqdpce.exe 40 PID 2500 wrote to memory of 1968 2500 Gnkmqkbi.exe 41 PID 2500 wrote to memory of 1968 2500 Gnkmqkbi.exe 41 PID 2500 wrote to memory of 1968 2500 Gnkmqkbi.exe 41 PID 2500 wrote to memory of 1968 2500 Gnkmqkbi.exe 41 PID 1968 wrote to memory of 2908 1968 Gcheib32.exe 42 PID 1968 wrote to memory of 2908 1968 Gcheib32.exe 42 PID 1968 wrote to memory of 2908 1968 Gcheib32.exe 42 PID 1968 wrote to memory of 2908 1968 Gcheib32.exe 42 PID 2908 wrote to memory of 2540 2908 Gnmifk32.exe 43 PID 2908 wrote to memory of 2540 2908 Gnmifk32.exe 43 PID 2908 wrote to memory of 2540 2908 Gnmifk32.exe 43 PID 2908 wrote to memory of 2540 2908 Gnmifk32.exe 43 PID 2540 wrote to memory of 1672 2540 Gfhnjm32.exe 44 PID 2540 wrote to memory of 1672 2540 Gfhnjm32.exe 44 PID 2540 wrote to memory of 1672 2540 Gfhnjm32.exe 44 PID 2540 wrote to memory of 1672 2540 Gfhnjm32.exe 44 PID 1672 wrote to memory of 2576 1672 Gnpflj32.exe 45 PID 1672 wrote to memory of 2576 1672 Gnpflj32.exe 45 PID 1672 wrote to memory of 2576 1672 Gnpflj32.exe 45 PID 1672 wrote to memory of 2576 1672 Gnpflj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c55edab27c03e6ffb7bf7aaf1a862310N.exe"C:\Users\Admin\AppData\Local\Temp\c55edab27c03e6ffb7bf7aaf1a862310N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe33⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe34⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe39⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe40⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe41⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe42⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe43⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe44⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe46⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe47⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe48⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe49⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe50⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe51⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe52⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe53⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe54⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe57⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe58⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe60⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe62⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe63⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe64⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe65⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe66⤵PID:344
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe67⤵PID:2300
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe68⤵PID:2452
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe69⤵PID:2448
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe71⤵PID:2728
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe73⤵PID:108
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe75⤵PID:2784
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe76⤵PID:316
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe77⤵PID:2116
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe78⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe79⤵PID:3004
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe80⤵PID:680
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe81⤵PID:2492
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe82⤵PID:760
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe83⤵PID:2528
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe84⤵PID:564
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe85⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe86⤵PID:2820
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe87⤵PID:2284
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe89⤵PID:664
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe90⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe91⤵PID:2432
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe92⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe94⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe95⤵PID:2520
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe96⤵PID:2692
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe98⤵PID:2536
-
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe99⤵PID:2380
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe100⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe101⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe102⤵PID:2024
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe103⤵PID:1232
-
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe104⤵PID:2388
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe105⤵PID:1752
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe106⤵PID:2180
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe107⤵PID:2340
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe108⤵PID:2184
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe109⤵PID:1512
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe110⤵PID:1236
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe111⤵PID:2680
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe112⤵PID:2760
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe113⤵PID:2480
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe114⤵PID:532
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe115⤵PID:1980
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe116⤵PID:1336
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe117⤵PID:1432
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe118⤵PID:1740
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe119⤵
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe120⤵PID:964
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe121⤵PID:2176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-