Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 11:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe
-
Size
59KB
-
MD5
560ec2151e5c1478f6d51a9d3a0e6d36
-
SHA1
cee11cc6b1a3180acecc1bd9ddcece301a55f39f
-
SHA256
f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b
-
SHA512
e8837cc6b8218ed92d4881ff95516e17e52a1a6b18221fcbfeb8163002e576fd73f8c523c8dbeb02ad9a8df1ecb321307404051d86a00a9d094f267b5fda00f9
-
SSDEEP
768:U3cj5AdMlyOH3FmTAi4LVC3gsitWHWLXzS6ILqJUXlGZ/1H5y5nf1fZMEBFELvkH:LitOSAiAshuHXzSCJUXaMNCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnhjjml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgoff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmfne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagkjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhgpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadbdkld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdiokbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibkmchbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimcjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncinap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaapcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnhpglg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjofl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jieaofmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opialpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknimnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe -
Executes dropped EXE 64 IoCs
pid Process 2676 Eheglk32.exe 2796 Elacliin.exe 2824 Eeiheo32.exe 2720 Edlhqlfi.exe 2620 Emdmjamj.exe 2992 Edoefl32.exe 3000 Egmabg32.exe 1256 Emgioakg.exe 1580 Epeekmjk.exe 584 Ekkjheja.exe 2612 Emifeqid.exe 1664 Edcnakpa.exe 1956 Ekmfne32.exe 2928 Fpjofl32.exe 2240 Fchkbg32.exe 1112 Fmnopp32.exe 2168 Foolgh32.exe 1992 Fckhhgcf.exe 968 Feiddbbj.exe 2132 Fhgppnan.exe 1540 Foahmh32.exe 1732 Figmjq32.exe 996 Fhjmfnok.exe 2456 Fdqnkoep.exe 1984 Fhljkm32.exe 2752 Fkkfgi32.exe 2900 Fepjea32.exe 2552 Goiongbc.exe 2588 Gagkjbaf.exe 2984 Gdegfn32.exe 1436 Gjbpne32.exe 2648 Gaihob32.exe 1072 Gkalhgfd.exe 772 Gnphdceh.exe 2428 Gqodqodl.exe 1164 Gdjqamme.exe 788 Gfkmie32.exe 1736 Gjgiidkl.exe 236 Gnbejb32.exe 2404 Gmeeepjp.exe 2396 Gqaafn32.exe 2184 Gfnjne32.exe 2120 Ghlfjq32.exe 964 Gmhbkohm.exe 2516 Gqcnln32.exe 1824 Hcajhi32.exe 1532 Hjlbdc32.exe 1752 Hinbppna.exe 2256 Hcdgmimg.exe 776 Hcdgmimg.exe 1056 Hfbcidmk.exe 2484 Hokhbj32.exe 1588 Hfepod32.exe 2840 Hegpjaac.exe 2976 Hiclkp32.exe 2956 Hnbaif32.exe 2880 Haqnea32.exe 1168 Heliepmn.exe 2604 Ikfbbjdj.exe 2872 Indnnfdn.exe 2868 Iacjjacb.exe 2080 Ieofkp32.exe 2116 Icafgmbe.exe 1092 Ijkocg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2636 f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe 2636 f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe 2676 Eheglk32.exe 2676 Eheglk32.exe 2796 Elacliin.exe 2796 Elacliin.exe 2824 Eeiheo32.exe 2824 Eeiheo32.exe 2720 Edlhqlfi.exe 2720 Edlhqlfi.exe 2620 Emdmjamj.exe 2620 Emdmjamj.exe 2992 Edoefl32.exe 2992 Edoefl32.exe 3000 Egmabg32.exe 3000 Egmabg32.exe 1256 Emgioakg.exe 1256 Emgioakg.exe 1580 Epeekmjk.exe 1580 Epeekmjk.exe 584 Ekkjheja.exe 584 Ekkjheja.exe 2612 Emifeqid.exe 2612 Emifeqid.exe 1664 Edcnakpa.exe 1664 Edcnakpa.exe 1956 Ekmfne32.exe 1956 Ekmfne32.exe 2928 Fpjofl32.exe 2928 Fpjofl32.exe 2240 Fchkbg32.exe 2240 Fchkbg32.exe 1112 Fmnopp32.exe 1112 Fmnopp32.exe 2168 Foolgh32.exe 2168 Foolgh32.exe 1992 Fckhhgcf.exe 1992 Fckhhgcf.exe 968 Feiddbbj.exe 968 Feiddbbj.exe 2132 Fhgppnan.exe 2132 Fhgppnan.exe 1540 Foahmh32.exe 1540 Foahmh32.exe 1732 Figmjq32.exe 1732 Figmjq32.exe 996 Fhjmfnok.exe 996 Fhjmfnok.exe 2456 Fdqnkoep.exe 2456 Fdqnkoep.exe 1984 Fhljkm32.exe 1984 Fhljkm32.exe 2752 Fkkfgi32.exe 2752 Fkkfgi32.exe 2900 Fepjea32.exe 2900 Fepjea32.exe 2552 Goiongbc.exe 2552 Goiongbc.exe 2588 Gagkjbaf.exe 2588 Gagkjbaf.exe 2984 Gdegfn32.exe 2984 Gdegfn32.exe 1436 Gjbpne32.exe 1436 Gjbpne32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ojbbmnhc.exe Ohdfqbio.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Goqnae32.exe File created C:\Windows\SysWOW64\Aonalffc.dll Ikgkei32.exe File created C:\Windows\SysWOW64\Omfpmb32.dll Jmdgipkk.exe File opened for modification C:\Windows\SysWOW64\Nmcopebh.exe Nihcog32.exe File created C:\Windows\SysWOW64\Kigndekn.exe Kkdnhi32.exe File opened for modification C:\Windows\SysWOW64\Edcnakpa.exe Emifeqid.exe File opened for modification C:\Windows\SysWOW64\Cqdfehii.exe Cmhjdiap.exe File opened for modification C:\Windows\SysWOW64\Igqhpj32.exe Iinhdmma.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Gonale32.exe File created C:\Windows\SysWOW64\Mflcaaja.dll Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Mndofg32.dll Dnhbmpkn.exe File opened for modification C:\Windows\SysWOW64\Efhqmadd.exe Eblelb32.exe File created C:\Windows\SysWOW64\Hfenefej.dll Efhqmadd.exe File created C:\Windows\SysWOW64\Iknafhjb.exe Igceej32.exe File opened for modification C:\Windows\SysWOW64\Nnleiipc.exe Nknimnap.exe File created C:\Windows\SysWOW64\Ijnkifgp.exe Ifbphh32.exe File created C:\Windows\SysWOW64\Fgglcg32.dll Pjihmmbk.exe File opened for modification C:\Windows\SysWOW64\Bdhleh32.exe Bqmpdioa.exe File opened for modification C:\Windows\SysWOW64\Lkjmfjmi.exe Llgljn32.exe File created C:\Windows\SysWOW64\Iphgln32.exe Iaegpaao.exe File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Kekkiq32.exe File opened for modification C:\Windows\SysWOW64\Epeekmjk.exe Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Fepjea32.exe Fkkfgi32.exe File opened for modification C:\Windows\SysWOW64\Agbbgqhh.exe Addfkeid.exe File created C:\Windows\SysWOW64\Feddombd.exe Fahhnn32.exe File opened for modification C:\Windows\SysWOW64\Deondj32.exe Dadbdkld.exe File created C:\Windows\SysWOW64\Kpdcfoph.exe Klhgfq32.exe File created C:\Windows\SysWOW64\Lkggmldl.exe Lhhkapeh.exe File created C:\Windows\SysWOW64\Ifkmqd32.dll Jfcabd32.exe File opened for modification C:\Windows\SysWOW64\Aeoijidl.exe Qmhahkdj.exe File created C:\Windows\SysWOW64\Pjihmmbk.exe Pfnmmn32.exe File opened for modification C:\Windows\SysWOW64\Eppefg32.exe Emaijk32.exe File created C:\Windows\SysWOW64\Jfmkbebl.exe Jcnoejch.exe File created C:\Windows\SysWOW64\Qejpoi32.exe Paocnkph.exe File opened for modification C:\Windows\SysWOW64\Bcpimq32.exe Boemlbpk.exe File opened for modification C:\Windows\SysWOW64\Fdiqpigl.exe Fakdcnhh.exe File opened for modification C:\Windows\SysWOW64\Edlafebn.exe Eppefg32.exe File created C:\Windows\SysWOW64\Kjeglh32.exe Klcgpkhh.exe File opened for modification C:\Windows\SysWOW64\Ldgnklmi.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Dcjkhi32.dll Foahmh32.exe File created C:\Windows\SysWOW64\Icafgmbe.exe Ieofkp32.exe File created C:\Windows\SysWOW64\Pioeoi32.exe Pfpibn32.exe File created C:\Windows\SysWOW64\Kpieengb.exe Kageia32.exe File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mciabmlo.exe File created C:\Windows\SysWOW64\Pfpibn32.exe Pbemboof.exe File created C:\Windows\SysWOW64\Dbhbaq32.dll Afliclij.exe File created C:\Windows\SysWOW64\Clffbc32.dll Hkjkle32.exe File created C:\Windows\SysWOW64\Kindeddf.exe Kechdf32.exe File opened for modification C:\Windows\SysWOW64\Mkipao32.exe Mgmdapml.exe File created C:\Windows\SysWOW64\Apmcefmf.exe Anogijnb.exe File created C:\Windows\SysWOW64\Klcgpkhh.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Liqbnn32.dll Fchkbg32.exe File created C:\Windows\SysWOW64\Ajdmngfm.dll Jmnqje32.exe File opened for modification C:\Windows\SysWOW64\Alddjg32.exe Anadojlo.exe File opened for modification C:\Windows\SysWOW64\Emifeqid.exe Ekkjheja.exe File opened for modification C:\Windows\SysWOW64\Gagkjbaf.exe Goiongbc.exe File created C:\Windows\SysWOW64\Qobdgo32.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cceogcfj.exe File opened for modification C:\Windows\SysWOW64\Kpgionie.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Hfopbgif.dll Ldgnklmi.exe File created C:\Windows\SysWOW64\Leikbd32.exe Lgfjggll.exe File created C:\Windows\SysWOW64\Hnbaif32.exe Hiclkp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5576 5264 WerFault.exe 577 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqdfehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofcbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgioakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgnhkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqnkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkalhgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegpjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anljck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaogognm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjmfjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenhopmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenoifpb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmichb32.dll" Hjohmbpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kechdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphgln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdledbi.dll" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Emaijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjbnhn.dll" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foolgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmiogi32.dll" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddbjhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjgiobf.dll" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjljfn32.dll" Iacjjacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpqfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmbnqfg.dll" Fdkmeiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkmchbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjaekpm.dll" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdadjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghgj32.dll" Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbejb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haqnea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgljaj32.dll" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glcgij32.dll" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofjjbcd.dll" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcedad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajflifmi.dll" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndlbd32.dll" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklcci32.dll" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahp32.dll" Ibipmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenoifpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnecigcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgppnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhbkohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oecmogln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdkef32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2676 2636 f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe 31 PID 2636 wrote to memory of 2676 2636 f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe 31 PID 2636 wrote to memory of 2676 2636 f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe 31 PID 2636 wrote to memory of 2676 2636 f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe 31 PID 2676 wrote to memory of 2796 2676 Eheglk32.exe 32 PID 2676 wrote to memory of 2796 2676 Eheglk32.exe 32 PID 2676 wrote to memory of 2796 2676 Eheglk32.exe 32 PID 2676 wrote to memory of 2796 2676 Eheglk32.exe 32 PID 2796 wrote to memory of 2824 2796 Elacliin.exe 33 PID 2796 wrote to memory of 2824 2796 Elacliin.exe 33 PID 2796 wrote to memory of 2824 2796 Elacliin.exe 33 PID 2796 wrote to memory of 2824 2796 Elacliin.exe 33 PID 2824 wrote to memory of 2720 2824 Eeiheo32.exe 34 PID 2824 wrote to memory of 2720 2824 Eeiheo32.exe 34 PID 2824 wrote to memory of 2720 2824 Eeiheo32.exe 34 PID 2824 wrote to memory of 2720 2824 Eeiheo32.exe 34 PID 2720 wrote to memory of 2620 2720 Edlhqlfi.exe 35 PID 2720 wrote to memory of 2620 2720 Edlhqlfi.exe 35 PID 2720 wrote to memory of 2620 2720 Edlhqlfi.exe 35 PID 2720 wrote to memory of 2620 2720 Edlhqlfi.exe 35 PID 2620 wrote to memory of 2992 2620 Emdmjamj.exe 36 PID 2620 wrote to memory of 2992 2620 Emdmjamj.exe 36 PID 2620 wrote to memory of 2992 2620 Emdmjamj.exe 36 PID 2620 wrote to memory of 2992 2620 Emdmjamj.exe 36 PID 2992 wrote to memory of 3000 2992 Edoefl32.exe 37 PID 2992 wrote to memory of 3000 2992 Edoefl32.exe 37 PID 2992 wrote to memory of 3000 2992 Edoefl32.exe 37 PID 2992 wrote to memory of 3000 2992 Edoefl32.exe 37 PID 3000 wrote to memory of 1256 3000 Egmabg32.exe 38 PID 3000 wrote to memory of 1256 3000 Egmabg32.exe 38 PID 3000 wrote to memory of 1256 3000 Egmabg32.exe 38 PID 3000 wrote to memory of 1256 3000 Egmabg32.exe 38 PID 1256 wrote to memory of 1580 1256 Emgioakg.exe 39 PID 1256 wrote to memory of 1580 1256 Emgioakg.exe 39 PID 1256 wrote to memory of 1580 1256 Emgioakg.exe 39 PID 1256 wrote to memory of 1580 1256 Emgioakg.exe 39 PID 1580 wrote to memory of 584 1580 Epeekmjk.exe 40 PID 1580 wrote to memory of 584 1580 Epeekmjk.exe 40 PID 1580 wrote to memory of 584 1580 Epeekmjk.exe 40 PID 1580 wrote to memory of 584 1580 Epeekmjk.exe 40 PID 584 wrote to memory of 2612 584 Ekkjheja.exe 41 PID 584 wrote to memory of 2612 584 Ekkjheja.exe 41 PID 584 wrote to memory of 2612 584 Ekkjheja.exe 41 PID 584 wrote to memory of 2612 584 Ekkjheja.exe 41 PID 2612 wrote to memory of 1664 2612 Emifeqid.exe 42 PID 2612 wrote to memory of 1664 2612 Emifeqid.exe 42 PID 2612 wrote to memory of 1664 2612 Emifeqid.exe 42 PID 2612 wrote to memory of 1664 2612 Emifeqid.exe 42 PID 1664 wrote to memory of 1956 1664 Edcnakpa.exe 43 PID 1664 wrote to memory of 1956 1664 Edcnakpa.exe 43 PID 1664 wrote to memory of 1956 1664 Edcnakpa.exe 43 PID 1664 wrote to memory of 1956 1664 Edcnakpa.exe 43 PID 1956 wrote to memory of 2928 1956 Ekmfne32.exe 44 PID 1956 wrote to memory of 2928 1956 Ekmfne32.exe 44 PID 1956 wrote to memory of 2928 1956 Ekmfne32.exe 44 PID 1956 wrote to memory of 2928 1956 Ekmfne32.exe 44 PID 2928 wrote to memory of 2240 2928 Fpjofl32.exe 45 PID 2928 wrote to memory of 2240 2928 Fpjofl32.exe 45 PID 2928 wrote to memory of 2240 2928 Fpjofl32.exe 45 PID 2928 wrote to memory of 2240 2928 Fpjofl32.exe 45 PID 2240 wrote to memory of 1112 2240 Fchkbg32.exe 46 PID 2240 wrote to memory of 1112 2240 Fchkbg32.exe 46 PID 2240 wrote to memory of 1112 2240 Fchkbg32.exe 46 PID 2240 wrote to memory of 1112 2240 Fchkbg32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe"C:\Users\Admin\AppData\Local\Temp\f03ea7917b3d7fffb7abf1fe063ec40428204d87890114cb339c02ad6054e03b.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe35⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe36⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe37⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe38⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe39⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe41⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe42⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe44⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe47⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe48⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe49⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe50⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe51⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe52⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe53⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe59⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe61⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe64⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe65⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe66⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe67⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe68⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe70⤵PID:2884
-
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe71⤵PID:2288
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe72⤵PID:2188
-
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe74⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe76⤵PID:2252
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe77⤵PID:332
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe78⤵PID:556
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe81⤵PID:3064
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe82⤵PID:1776
-
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe83⤵PID:1872
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe84⤵PID:2424
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe85⤵PID:1740
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe86⤵PID:2828
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe87⤵PID:2628
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe88⤵PID:1968
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe89⤵PID:2820
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe90⤵PID:2576
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe91⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe92⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe93⤵PID:856
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe94⤵PID:2848
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe95⤵PID:1408
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe96⤵PID:1708
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe97⤵PID:1140
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe99⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe101⤵PID:2768
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe102⤵PID:496
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe103⤵PID:2032
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe104⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe105⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe106⤵PID:2780
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe107⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe109⤵PID:2444
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe110⤵PID:2160
-
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe111⤵PID:2508
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe112⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe113⤵PID:2968
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe114⤵PID:2876
-
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe115⤵PID:2264
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe116⤵PID:1448
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe118⤵PID:2364
-
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe120⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe121⤵
- System Location Discovery: System Language Discovery
PID:696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-