Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe
-
Size
100KB
-
MD5
bb87e648b501b39932b49d625cca8350
-
SHA1
86a4c68d1dc4977523153baebb8bbff8cd0f67c7
-
SHA256
c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541
-
SHA512
5d2481868a2ef003b71f522c401f9ed5ee9b822e1f721e55d9f1448eac4aa1bc046b46b9d96abc9f2504a7efd55797d09b1f793ca476bb2408021b3c6c732a27
-
SSDEEP
1536:8Z4axodFOCzKN4K0C7MfSNWpCASN4SW+w8NHkSggKkFgblQQa3+om13XRzT:I4aGvzbKNWpCA+Nflgb3a3+X13XRzT
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phelnhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihjbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llooad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjmpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfieec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcaiqfib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqejjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecklgdag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmckikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndqokc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndclpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fglkeaqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cincaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijolbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahomlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolffjap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemggm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpehn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oblmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnohmog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihopjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mffgfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmdfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgfciee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjnolap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inbobn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdmahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkampao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goicaell.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpphipbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebghkjjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahomlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkmegaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgikklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogiegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbaafak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qegnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojnhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idagdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinnfonh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijgemok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knldaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombhgljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alfpab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnoepam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkpgh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2288 Kjlgaa32.exe 2876 Kpeonkig.exe 2140 Ljpqlqmd.exe 2660 Lpmeojbo.exe 2632 Lhhjcmpj.exe 2052 Lodoefed.exe 2392 Mhlcnl32.exe 2972 Mbgela32.exe 3060 Mmafmo32.exe 2832 Mpaoojjb.exe 2196 Nqakim32.exe 1028 Njipabhe.exe 772 Nmjicn32.exe 2508 Nhdjdk32.exe 2236 Nehjmppo.exe 1996 Odmgnl32.exe 1820 Oaaghp32.exe 1108 Oiniaboi.exe 2488 Oddmokoo.exe 1408 Oiqegb32.exe 2168 Pbkgegad.exe 1744 Phklcn32.exe 692 Pbppqf32.exe 3024 Pogaeg32.exe 2104 Peaibajp.exe 2280 Pahjgb32.exe 2784 Qnoklc32.exe 2764 Qdkpomkb.exe 2672 Aellfe32.exe 2812 Aodqok32.exe 2808 Aogmdk32.exe 2576 Ahancp32.exe 1800 Abjcleqm.exe 1580 Bdklnq32.exe 2220 Bbolge32.exe 3064 Bcpiombe.exe 2116 Bnemlf32.exe 1404 Bcbedm32.exe 1192 Bjnjfffm.exe 2512 Ckdpinhf.exe 1896 Cihqbb32.exe 2436 Cafbmdbh.exe 328 Cjngej32.exe 928 Dedkbb32.exe 1540 Djqcki32.exe 1524 Dnlolhoo.exe 2600 Dhdddnep.exe 2044 Difplf32.exe 2068 Dpphipbk.exe 2824 Dfjaej32.exe 2092 Dpbenpqh.exe 2304 Dflnkjhe.exe 2948 Dlifcqfl.exe 2060 Dbcnpk32.exe 2712 Dimfmeef.exe 3004 Epgoio32.exe 2376 Ehbcnajn.exe 3044 Ebghkjjc.exe 2892 Eefdgeig.exe 2136 Elpldp32.exe 1708 Eamdlf32.exe 2448 Egimdmmc.exe 2272 Eaoaafli.exe 2080 Egljjmkp.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe 2180 c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe 2288 Kjlgaa32.exe 2288 Kjlgaa32.exe 2876 Kpeonkig.exe 2876 Kpeonkig.exe 2140 Ljpqlqmd.exe 2140 Ljpqlqmd.exe 2660 Lpmeojbo.exe 2660 Lpmeojbo.exe 2632 Lhhjcmpj.exe 2632 Lhhjcmpj.exe 2052 Lodoefed.exe 2052 Lodoefed.exe 2392 Mhlcnl32.exe 2392 Mhlcnl32.exe 2972 Mbgela32.exe 2972 Mbgela32.exe 3060 Mmafmo32.exe 3060 Mmafmo32.exe 2832 Mpaoojjb.exe 2832 Mpaoojjb.exe 2196 Nqakim32.exe 2196 Nqakim32.exe 1028 Njipabhe.exe 1028 Njipabhe.exe 772 Nmjicn32.exe 772 Nmjicn32.exe 2508 Nhdjdk32.exe 2508 Nhdjdk32.exe 2236 Nehjmppo.exe 2236 Nehjmppo.exe 1996 Odmgnl32.exe 1996 Odmgnl32.exe 1820 Oaaghp32.exe 1820 Oaaghp32.exe 1108 Oiniaboi.exe 1108 Oiniaboi.exe 2488 Oddmokoo.exe 2488 Oddmokoo.exe 1408 Oiqegb32.exe 1408 Oiqegb32.exe 2168 Pbkgegad.exe 2168 Pbkgegad.exe 1744 Phklcn32.exe 1744 Phklcn32.exe 692 Pbppqf32.exe 692 Pbppqf32.exe 3024 Pogaeg32.exe 3024 Pogaeg32.exe 2104 Peaibajp.exe 2104 Peaibajp.exe 2280 Pahjgb32.exe 2280 Pahjgb32.exe 2784 Qnoklc32.exe 2784 Qnoklc32.exe 2764 Qdkpomkb.exe 2764 Qdkpomkb.exe 2672 Aellfe32.exe 2672 Aellfe32.exe 2812 Aodqok32.exe 2812 Aodqok32.exe 2808 Aogmdk32.exe 2808 Aogmdk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kfccmini.exe Kmkodd32.exe File created C:\Windows\SysWOW64\Pkgeaneg.dll Mdlfpcnd.exe File opened for modification C:\Windows\SysWOW64\Aeajcf32.exe Aikine32.exe File opened for modification C:\Windows\SysWOW64\Epgoio32.exe Dimfmeef.exe File opened for modification C:\Windows\SysWOW64\Epakcm32.exe Efbpihoo.exe File opened for modification C:\Windows\SysWOW64\Jehklc32.exe Jmqckf32.exe File created C:\Windows\SysWOW64\Nflidmic.exe Mjeholco.exe File created C:\Windows\SysWOW64\Bqqclmpe.dll Aeahjn32.exe File created C:\Windows\SysWOW64\Ggqamh32.exe Gadidabc.exe File opened for modification C:\Windows\SysWOW64\Hhhmki32.exe Geehcoaf.exe File opened for modification C:\Windows\SysWOW64\Kbjmhd32.exe Knldaf32.exe File created C:\Windows\SysWOW64\Mcllmmbh.dll Dnlolhoo.exe File created C:\Windows\SysWOW64\Ojnhdn32.exe Oafclh32.exe File created C:\Windows\SysWOW64\Mhbdligd.dll Ndqokc32.exe File opened for modification C:\Windows\SysWOW64\Acldpojj.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Lfdanc32.dll Gaiehjfb.exe File opened for modification C:\Windows\SysWOW64\Nnkqih32.exe Ndclpb32.exe File created C:\Windows\SysWOW64\Lngblqbj.dll Ehbdif32.exe File created C:\Windows\SysWOW64\Mbgela32.exe Mhlcnl32.exe File created C:\Windows\SysWOW64\Hplped32.dll Dpbenpqh.exe File created C:\Windows\SysWOW64\Ijhbkmbo.dll Hkndiabh.exe File opened for modification C:\Windows\SysWOW64\Obffpa32.exe Oebffm32.exe File created C:\Windows\SysWOW64\Mfihbo32.dll Dmllgo32.exe File created C:\Windows\SysWOW64\Iofledji.dll Ohcohh32.exe File created C:\Windows\SysWOW64\Ppbgeq32.dll Iqnlpq32.exe File opened for modification C:\Windows\SysWOW64\Fdhlphff.exe Fnkchahn.exe File created C:\Windows\SysWOW64\Bgjoaane.dll Ingogcke.exe File created C:\Windows\SysWOW64\Kjenbk32.dll Hdapggln.exe File created C:\Windows\SysWOW64\Dlmoai32.dll Nmnoll32.exe File created C:\Windows\SysWOW64\Aelgdhei.exe Ajfcgoec.exe File opened for modification C:\Windows\SysWOW64\Pemdic32.exe Pkeppngm.exe File created C:\Windows\SysWOW64\Kikakd32.dll Epakcm32.exe File created C:\Windows\SysWOW64\Ghaeaaki.exe Gcdmikma.exe File opened for modification C:\Windows\SysWOW64\Mdfcaegj.exe Mgbcha32.exe File created C:\Windows\SysWOW64\Njnknedk.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Fjjeid32.exe Fdpmljan.exe File created C:\Windows\SysWOW64\Lggndgpg.dll Kmpfgklo.exe File opened for modification C:\Windows\SysWOW64\Kbedmedg.exe Jnnehb32.exe File opened for modification C:\Windows\SysWOW64\Enmplm32.exe Egchocif.exe File created C:\Windows\SysWOW64\Fangfcki.exe Fhfbmn32.exe File opened for modification C:\Windows\SysWOW64\Bkmegaaf.exe Bepmokco.exe File created C:\Windows\SysWOW64\Mbgapn32.dll Dafchi32.exe File opened for modification C:\Windows\SysWOW64\Ckilmfke.exe Cfmceomm.exe File opened for modification C:\Windows\SysWOW64\Jmplqp32.exe Jbkhcg32.exe File created C:\Windows\SysWOW64\Coapim32.dll Jjpehn32.exe File created C:\Windows\SysWOW64\Nmhhdpoh.dll Apgnpo32.exe File created C:\Windows\SysWOW64\Djqcki32.exe Dedkbb32.exe File created C:\Windows\SysWOW64\Ldodne32.dll Bkkiab32.exe File opened for modification C:\Windows\SysWOW64\Eqninhmc.exe Ehbdif32.exe File opened for modification C:\Windows\SysWOW64\Fbflfomj.exe Fmicnhob.exe File created C:\Windows\SysWOW64\Gjoflo32.dll Emlkoknp.exe File created C:\Windows\SysWOW64\Kaojiqej.exe Kkbbqjgb.exe File created C:\Windows\SysWOW64\Kiamql32.exe Kdeehe32.exe File created C:\Windows\SysWOW64\Plbaafak.exe Ocglmcdp.exe File created C:\Windows\SysWOW64\Qaipao32.dll Ajfcgoec.exe File created C:\Windows\SysWOW64\Gcfbhb32.dll Blabef32.exe File created C:\Windows\SysWOW64\Fddfbm32.dll Ecabfpff.exe File created C:\Windows\SysWOW64\Eaojgf32.dll Hlebog32.exe File created C:\Windows\SysWOW64\Ebjldp32.dll Kplfmfmf.exe File opened for modification C:\Windows\SysWOW64\Deljfqmf.exe Dnbbjf32.exe File opened for modification C:\Windows\SysWOW64\Aelgdhei.exe Ajfcgoec.exe File created C:\Windows\SysWOW64\Mmojcceo.exe Mgebfi32.exe File created C:\Windows\SysWOW64\Qkgcak32.dll Oqfeda32.exe File created C:\Windows\SysWOW64\Ikhlaaif.exe Indkgm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3732 3136 WerFault.exe 649 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngafdepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkhoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhjejai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfedhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjbphod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddmkkpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpikmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbighojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkiikm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoaafli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmchljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgchckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkchahn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblflgqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipbidbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfhjfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefpmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imidgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paqoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjceidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgagnjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lielphqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbdif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcfle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefdgeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdchifik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeeeeehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpknl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egobfdpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnpoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekpknlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbioilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmceomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkgh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djibogkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnkchahn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfnpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idkdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkiikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecjaf32.dll" Cafbmdbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhdpjaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdllci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdddnep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeeeeehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgglia32.dll" Qnoklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cneheief.dll" Nhbnjpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll" Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cljajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjdel32.dll" Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhlcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfodod32.dll" Egobfdpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejlka32.dll" Kemgqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnhhia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npdlpnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmdpf32.dll" Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dconnjln.dll" Kjdpcnfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloibpen.dll" Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjjeid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbdhbnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbnpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcfojhhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bepmokco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlokegib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eelinm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djocmfki.dll" Ocbekmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmicnhob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llooad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfhmhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmhhleb.dll" Ifloeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocphembl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meieho32.dll" Hbagaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blabef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabmdd32.dll" Kmeiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olhmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkddaih.dll" Imfgahao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfieec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagenl32.dll" Kmkodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglahnha.dll" Opennf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijjgkmqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckaokam.dll" Cgmiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkjagdj.dll" Npbpjn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2288 2180 c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe 29 PID 2180 wrote to memory of 2288 2180 c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe 29 PID 2180 wrote to memory of 2288 2180 c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe 29 PID 2180 wrote to memory of 2288 2180 c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe 29 PID 2288 wrote to memory of 2876 2288 Kjlgaa32.exe 30 PID 2288 wrote to memory of 2876 2288 Kjlgaa32.exe 30 PID 2288 wrote to memory of 2876 2288 Kjlgaa32.exe 30 PID 2288 wrote to memory of 2876 2288 Kjlgaa32.exe 30 PID 2876 wrote to memory of 2140 2876 Kpeonkig.exe 31 PID 2876 wrote to memory of 2140 2876 Kpeonkig.exe 31 PID 2876 wrote to memory of 2140 2876 Kpeonkig.exe 31 PID 2876 wrote to memory of 2140 2876 Kpeonkig.exe 31 PID 2140 wrote to memory of 2660 2140 Ljpqlqmd.exe 32 PID 2140 wrote to memory of 2660 2140 Ljpqlqmd.exe 32 PID 2140 wrote to memory of 2660 2140 Ljpqlqmd.exe 32 PID 2140 wrote to memory of 2660 2140 Ljpqlqmd.exe 32 PID 2660 wrote to memory of 2632 2660 Lpmeojbo.exe 33 PID 2660 wrote to memory of 2632 2660 Lpmeojbo.exe 33 PID 2660 wrote to memory of 2632 2660 Lpmeojbo.exe 33 PID 2660 wrote to memory of 2632 2660 Lpmeojbo.exe 33 PID 2632 wrote to memory of 2052 2632 Lhhjcmpj.exe 34 PID 2632 wrote to memory of 2052 2632 Lhhjcmpj.exe 34 PID 2632 wrote to memory of 2052 2632 Lhhjcmpj.exe 34 PID 2632 wrote to memory of 2052 2632 Lhhjcmpj.exe 34 PID 2052 wrote to memory of 2392 2052 Lodoefed.exe 35 PID 2052 wrote to memory of 2392 2052 Lodoefed.exe 35 PID 2052 wrote to memory of 2392 2052 Lodoefed.exe 35 PID 2052 wrote to memory of 2392 2052 Lodoefed.exe 35 PID 2392 wrote to memory of 2972 2392 Mhlcnl32.exe 36 PID 2392 wrote to memory of 2972 2392 Mhlcnl32.exe 36 PID 2392 wrote to memory of 2972 2392 Mhlcnl32.exe 36 PID 2392 wrote to memory of 2972 2392 Mhlcnl32.exe 36 PID 2972 wrote to memory of 3060 2972 Mbgela32.exe 37 PID 2972 wrote to memory of 3060 2972 Mbgela32.exe 37 PID 2972 wrote to memory of 3060 2972 Mbgela32.exe 37 PID 2972 wrote to memory of 3060 2972 Mbgela32.exe 37 PID 3060 wrote to memory of 2832 3060 Mmafmo32.exe 38 PID 3060 wrote to memory of 2832 3060 Mmafmo32.exe 38 PID 3060 wrote to memory of 2832 3060 Mmafmo32.exe 38 PID 3060 wrote to memory of 2832 3060 Mmafmo32.exe 38 PID 2832 wrote to memory of 2196 2832 Mpaoojjb.exe 39 PID 2832 wrote to memory of 2196 2832 Mpaoojjb.exe 39 PID 2832 wrote to memory of 2196 2832 Mpaoojjb.exe 39 PID 2832 wrote to memory of 2196 2832 Mpaoojjb.exe 39 PID 2196 wrote to memory of 1028 2196 Nqakim32.exe 40 PID 2196 wrote to memory of 1028 2196 Nqakim32.exe 40 PID 2196 wrote to memory of 1028 2196 Nqakim32.exe 40 PID 2196 wrote to memory of 1028 2196 Nqakim32.exe 40 PID 1028 wrote to memory of 772 1028 Njipabhe.exe 41 PID 1028 wrote to memory of 772 1028 Njipabhe.exe 41 PID 1028 wrote to memory of 772 1028 Njipabhe.exe 41 PID 1028 wrote to memory of 772 1028 Njipabhe.exe 41 PID 772 wrote to memory of 2508 772 Nmjicn32.exe 42 PID 772 wrote to memory of 2508 772 Nmjicn32.exe 42 PID 772 wrote to memory of 2508 772 Nmjicn32.exe 42 PID 772 wrote to memory of 2508 772 Nmjicn32.exe 42 PID 2508 wrote to memory of 2236 2508 Nhdjdk32.exe 43 PID 2508 wrote to memory of 2236 2508 Nhdjdk32.exe 43 PID 2508 wrote to memory of 2236 2508 Nhdjdk32.exe 43 PID 2508 wrote to memory of 2236 2508 Nhdjdk32.exe 43 PID 2236 wrote to memory of 1996 2236 Nehjmppo.exe 44 PID 2236 wrote to memory of 1996 2236 Nehjmppo.exe 44 PID 2236 wrote to memory of 1996 2236 Nehjmppo.exe 44 PID 2236 wrote to memory of 1996 2236 Nehjmppo.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe"C:\Users\Admin\AppData\Local\Temp\c0a6a31ac25d29356b5884d06e2956f4eafd70754f1da256e0f75ddb5b79c541N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe33⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe34⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe35⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe36⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bcpiombe.exeC:\Windows\system32\Bcpiombe.exe37⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe38⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe39⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe40⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe42⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe44⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe46⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe49⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe51⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe53⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dlifcqfl.exeC:\Windows\system32\Dlifcqfl.exe54⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe55⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe57⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe58⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe61⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe62⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe63⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe65⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe66⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe67⤵PID:1688
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe68⤵PID:956
-
C:\Windows\SysWOW64\Fdbgia32.exeC:\Windows\system32\Fdbgia32.exe69⤵PID:656
-
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe70⤵PID:872
-
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe71⤵PID:1592
-
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe73⤵PID:2976
-
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe74⤵PID:2696
-
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe75⤵PID:2692
-
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe76⤵PID:2000
-
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe77⤵PID:2728
-
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe78⤵PID:2740
-
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe79⤵PID:3032
-
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe80⤵PID:2472
-
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe81⤵PID:1780
-
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe83⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe84⤵PID:1588
-
C:\Windows\SysWOW64\Gqmmhdka.exeC:\Windows\system32\Gqmmhdka.exe85⤵PID:1140
-
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe86⤵PID:1712
-
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe87⤵PID:1632
-
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe88⤵PID:1956
-
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe89⤵PID:2296
-
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe90⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe91⤵PID:2804
-
C:\Windows\SysWOW64\Hkndiabh.exeC:\Windows\system32\Hkndiabh.exe92⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Hkpaoape.exeC:\Windows\system32\Hkpaoape.exe94⤵PID:2996
-
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe95⤵PID:2224
-
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe96⤵PID:2172
-
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe98⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe99⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe100⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe102⤵PID:1356
-
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe103⤵PID:1184
-
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe104⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe105⤵PID:1652
-
C:\Windows\SysWOW64\Jffakm32.exeC:\Windows\system32\Jffakm32.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe107⤵PID:2904
-
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe108⤵PID:1616
-
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe110⤵PID:1148
-
C:\Windows\SysWOW64\Jjjdjp32.exeC:\Windows\system32\Jjjdjp32.exe111⤵PID:2308
-
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe112⤵PID:1212
-
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe115⤵PID:2856
-
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe116⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe117⤵PID:2360
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe118⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe119⤵PID:808
-
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe120⤵PID:1628
-
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe121⤵PID:624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-