Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 22:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe
-
Size
96KB
-
MD5
43765c9b3688c87faacd670fa34c6130
-
SHA1
c5a6fd55f07f112c7f319266d655fd44ca6a6e20
-
SHA256
9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50
-
SHA512
6842ec51a75d042f0881a8a537215fff21c5e083c2fc62781b6edaac70c6abac0d76b2269fc17029ac61d245c2a6432a2acb024b7fe7e982589d8bed84523b0b
-
SSDEEP
1536:os0PkacjJCBCY3gyGDlpbpvpY2JdNpXHkxmWHjhrUQVoMdUT+irF:BayUI7pJJJF3kxmWHjhr1Rhk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbfdaigg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnffgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icfofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpekon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdnepk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbidgeci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlfojn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoamgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdqbekcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llohjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffhpbacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe -
Executes dropped EXE 64 IoCs
pid Process 2748 Dolnad32.exe 2796 Dbkknojp.exe 2852 Dhdcji32.exe 2520 Ebmgcohn.exe 2944 Edkcojga.exe 536 Edkcojga.exe 872 Endhhp32.exe 2584 Eqbddk32.exe 3040 Ecqqpgli.exe 2340 Eqdajkkb.exe 2364 Eccmffjf.exe 1928 Emkaol32.exe 1648 Eqgnokip.exe 2092 Emnndlod.exe 2320 Echfaf32.exe 2392 Effcma32.exe 376 Fmpkjkma.exe 1168 Ffhpbacb.exe 1584 Figlolbf.exe 1832 Fpqdkf32.exe 1676 Fbopgb32.exe 668 Ffklhqao.exe 2044 Flgeqgog.exe 2116 Fbamma32.exe 2252 Fikejl32.exe 2780 Fhneehek.exe 2648 Fnhnbb32.exe 2948 Fjongcbl.exe 2452 Faigdn32.exe 1680 Gedbdlbb.exe 332 Gmpgio32.exe 892 Gpncej32.exe 2592 Gjdhbc32.exe 2440 Gmbdnn32.exe 2500 Gpqpjj32.exe 1988 Gmdadnkh.exe 2176 Gpcmpijk.exe 1652 Gljnej32.exe 2700 Gfobbc32.exe 2432 Gebbnpfp.exe 2156 Ginnnooi.exe 2888 Hbfbgd32.exe 2256 Hipkdnmf.exe 1056 Hlngpjlj.exe 960 Hkaglf32.exe 2128 Hlqdei32.exe 548 Hoopae32.exe 2764 Hanlnp32.exe 2660 Hdlhjl32.exe 1600 Hgjefg32.exe 2528 Hoamgd32.exe 1064 Hmdmcanc.exe 1856 Hdnepk32.exe 2712 Hkhnle32.exe 2840 Hiknhbcg.exe 1712 Hmfjha32.exe 1380 Hpefdl32.exe 2504 Hdqbekcm.exe 2180 Igonafba.exe 2428 Iimjmbae.exe 2408 Inifnq32.exe 1976 Illgimph.exe 1936 Icfofg32.exe 2420 Igakgfpn.exe -
Loads dropped DLL 64 IoCs
pid Process 2632 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe 2632 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe 2748 Dolnad32.exe 2748 Dolnad32.exe 2796 Dbkknojp.exe 2796 Dbkknojp.exe 2852 Dhdcji32.exe 2852 Dhdcji32.exe 2520 Ebmgcohn.exe 2520 Ebmgcohn.exe 2944 Edkcojga.exe 2944 Edkcojga.exe 536 Edkcojga.exe 536 Edkcojga.exe 872 Endhhp32.exe 872 Endhhp32.exe 2584 Eqbddk32.exe 2584 Eqbddk32.exe 3040 Ecqqpgli.exe 3040 Ecqqpgli.exe 2340 Eqdajkkb.exe 2340 Eqdajkkb.exe 2364 Eccmffjf.exe 2364 Eccmffjf.exe 1928 Emkaol32.exe 1928 Emkaol32.exe 1648 Eqgnokip.exe 1648 Eqgnokip.exe 2092 Emnndlod.exe 2092 Emnndlod.exe 2320 Echfaf32.exe 2320 Echfaf32.exe 2392 Effcma32.exe 2392 Effcma32.exe 376 Fmpkjkma.exe 376 Fmpkjkma.exe 1168 Ffhpbacb.exe 1168 Ffhpbacb.exe 1584 Figlolbf.exe 1584 Figlolbf.exe 1832 Fpqdkf32.exe 1832 Fpqdkf32.exe 1676 Fbopgb32.exe 1676 Fbopgb32.exe 668 Ffklhqao.exe 668 Ffklhqao.exe 2044 Flgeqgog.exe 2044 Flgeqgog.exe 2116 Fbamma32.exe 2116 Fbamma32.exe 2252 Fikejl32.exe 2252 Fikejl32.exe 2780 Fhneehek.exe 2780 Fhneehek.exe 2648 Fnhnbb32.exe 2648 Fnhnbb32.exe 2948 Fjongcbl.exe 2948 Fjongcbl.exe 2452 Faigdn32.exe 2452 Faigdn32.exe 1680 Gedbdlbb.exe 1680 Gedbdlbb.exe 332 Gmpgio32.exe 332 Gmpgio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File created C:\Windows\SysWOW64\Hnepch32.dll Jbdonb32.exe File created C:\Windows\SysWOW64\Olahaplc.dll Mlaeonld.exe File created C:\Windows\SysWOW64\Nigome32.exe Nekbmgcn.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Hbfbgd32.exe Ginnnooi.exe File opened for modification C:\Windows\SysWOW64\Hipkdnmf.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Bdpoifde.dll Jmplcp32.exe File opened for modification C:\Windows\SysWOW64\Kkolkk32.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Liplnc32.exe File created C:\Windows\SysWOW64\Qmaqpohl.dll Gmbdnn32.exe File created C:\Windows\SysWOW64\Jmamaoln.dll Ginnnooi.exe File created C:\Windows\SysWOW64\Imbiaa32.dll Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Moidahcn.exe File opened for modification C:\Windows\SysWOW64\Hoopae32.exe Hlqdei32.exe File opened for modification C:\Windows\SysWOW64\Hdlhjl32.exe Hanlnp32.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Lghjel32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lgjfkk32.exe File created C:\Windows\SysWOW64\Pdlbongd.dll Mencccop.exe File created C:\Windows\SysWOW64\Nkpegi32.exe Nhaikn32.exe File created C:\Windows\SysWOW64\Gamgjj32.dll Hanlnp32.exe File opened for modification C:\Windows\SysWOW64\Iompkh32.exe Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Kjifhc32.exe Kconkibf.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Moanaiie.exe File created C:\Windows\SysWOW64\Ecfmdf32.dll Moanaiie.exe File created C:\Windows\SysWOW64\Clialdph.dll Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Ecqqpgli.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Ffklhqao.exe Fbopgb32.exe File opened for modification C:\Windows\SysWOW64\Gpcmpijk.exe Gmdadnkh.exe File created C:\Windows\SysWOW64\Iimjmbae.exe Igonafba.exe File created C:\Windows\SysWOW64\Eicieohp.dll Jocflgga.exe File created C:\Windows\SysWOW64\Dolnad32.exe 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dbkknojp.exe File opened for modification C:\Windows\SysWOW64\Fpqdkf32.exe Figlolbf.exe File created C:\Windows\SysWOW64\Cjgheann.dll Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Jcjdpj32.exe Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Hanlnp32.exe Hoopae32.exe File created C:\Windows\SysWOW64\Kkolkk32.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Afdignjb.dll Nhaikn32.exe File created C:\Windows\SysWOW64\Ncmfqkdj.exe Npojdpef.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fhneehek.exe File created C:\Windows\SysWOW64\Igakgfpn.exe Icfofg32.exe File created C:\Windows\SysWOW64\Fpcqjacl.dll Kconkibf.exe File created C:\Windows\SysWOW64\Mhjbjopf.exe Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Fbopgb32.exe Fpqdkf32.exe File opened for modification C:\Windows\SysWOW64\Icjhagdp.exe Ioolqh32.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Ljffag32.exe File created C:\Windows\SysWOW64\Aeaceffc.dll Meppiblm.exe File created C:\Windows\SysWOW64\Lmnppf32.dll Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Lclnemgd.exe Lanaiahq.exe File created C:\Windows\SysWOW64\Mpcnkg32.dll Lclnemgd.exe File created C:\Windows\SysWOW64\Mpmapm32.exe Mlaeonld.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe File created C:\Windows\SysWOW64\Dkqahbgm.dll Icmegf32.exe File created C:\Windows\SysWOW64\Laegiq32.exe Linphc32.exe File opened for modification C:\Windows\SysWOW64\Nhaikn32.exe Ndemjoae.exe File opened for modification C:\Windows\SysWOW64\Lghjel32.exe Lclnemgd.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Icfofg32.exe Illgimph.exe File opened for modification C:\Windows\SysWOW64\Kjfjbdle.exe Jfknbe32.exe File opened for modification C:\Windows\SysWOW64\Kocbkk32.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Kcacch32.dll Kjifhc32.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Kkolkk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3528 3504 WerFault.exe 209 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkcojga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdmggnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meppiblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjhagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkoplhip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liplnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nekbmgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faigdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabbhcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmfqkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echfaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbopgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebbnpfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoamgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhnle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedkbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llohjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffklhqao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofbag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpgmdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkknojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqdajkkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimjmbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdqna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgainbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfiale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfknbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginnnooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklpekno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljibgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfqkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mencccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecqqpgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqgnokip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfbgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqbekcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfjbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhgoqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhpbacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhneehek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqlhdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbbbffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljnej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefhhbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocflgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kincipnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmapm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnndlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoopae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnicmdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclnemgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgeqgog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iompkh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacch32.dll" Kjifhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kklpekno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppnidgoj.dll" Fbopgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqmaqbm.dll" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll" Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ginnnooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpopmpp.dll" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibebkc32.dll" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll" Nmpnhdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhbld32.dll" Gljnej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedolome.dll" Jnpinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenobfak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqbddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgegdo32.dll" Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlkifo.dll" Gpncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbfbgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhejlj.dll" Jkjfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdacop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdcpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgjaf32.dll" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmfqkdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2748 2632 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe 30 PID 2632 wrote to memory of 2748 2632 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe 30 PID 2632 wrote to memory of 2748 2632 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe 30 PID 2632 wrote to memory of 2748 2632 9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe 30 PID 2748 wrote to memory of 2796 2748 Dolnad32.exe 31 PID 2748 wrote to memory of 2796 2748 Dolnad32.exe 31 PID 2748 wrote to memory of 2796 2748 Dolnad32.exe 31 PID 2748 wrote to memory of 2796 2748 Dolnad32.exe 31 PID 2796 wrote to memory of 2852 2796 Dbkknojp.exe 32 PID 2796 wrote to memory of 2852 2796 Dbkknojp.exe 32 PID 2796 wrote to memory of 2852 2796 Dbkknojp.exe 32 PID 2796 wrote to memory of 2852 2796 Dbkknojp.exe 32 PID 2852 wrote to memory of 2520 2852 Dhdcji32.exe 33 PID 2852 wrote to memory of 2520 2852 Dhdcji32.exe 33 PID 2852 wrote to memory of 2520 2852 Dhdcji32.exe 33 PID 2852 wrote to memory of 2520 2852 Dhdcji32.exe 33 PID 2520 wrote to memory of 2944 2520 Ebmgcohn.exe 34 PID 2520 wrote to memory of 2944 2520 Ebmgcohn.exe 34 PID 2520 wrote to memory of 2944 2520 Ebmgcohn.exe 34 PID 2520 wrote to memory of 2944 2520 Ebmgcohn.exe 34 PID 2944 wrote to memory of 536 2944 Edkcojga.exe 35 PID 2944 wrote to memory of 536 2944 Edkcojga.exe 35 PID 2944 wrote to memory of 536 2944 Edkcojga.exe 35 PID 2944 wrote to memory of 536 2944 Edkcojga.exe 35 PID 536 wrote to memory of 872 536 Edkcojga.exe 36 PID 536 wrote to memory of 872 536 Edkcojga.exe 36 PID 536 wrote to memory of 872 536 Edkcojga.exe 36 PID 536 wrote to memory of 872 536 Edkcojga.exe 36 PID 872 wrote to memory of 2584 872 Endhhp32.exe 37 PID 872 wrote to memory of 2584 872 Endhhp32.exe 37 PID 872 wrote to memory of 2584 872 Endhhp32.exe 37 PID 872 wrote to memory of 2584 872 Endhhp32.exe 37 PID 2584 wrote to memory of 3040 2584 Eqbddk32.exe 38 PID 2584 wrote to memory of 3040 2584 Eqbddk32.exe 38 PID 2584 wrote to memory of 3040 2584 Eqbddk32.exe 38 PID 2584 wrote to memory of 3040 2584 Eqbddk32.exe 38 PID 3040 wrote to memory of 2340 3040 Ecqqpgli.exe 39 PID 3040 wrote to memory of 2340 3040 Ecqqpgli.exe 39 PID 3040 wrote to memory of 2340 3040 Ecqqpgli.exe 39 PID 3040 wrote to memory of 2340 3040 Ecqqpgli.exe 39 PID 2340 wrote to memory of 2364 2340 Eqdajkkb.exe 40 PID 2340 wrote to memory of 2364 2340 Eqdajkkb.exe 40 PID 2340 wrote to memory of 2364 2340 Eqdajkkb.exe 40 PID 2340 wrote to memory of 2364 2340 Eqdajkkb.exe 40 PID 2364 wrote to memory of 1928 2364 Eccmffjf.exe 41 PID 2364 wrote to memory of 1928 2364 Eccmffjf.exe 41 PID 2364 wrote to memory of 1928 2364 Eccmffjf.exe 41 PID 2364 wrote to memory of 1928 2364 Eccmffjf.exe 41 PID 1928 wrote to memory of 1648 1928 Emkaol32.exe 42 PID 1928 wrote to memory of 1648 1928 Emkaol32.exe 42 PID 1928 wrote to memory of 1648 1928 Emkaol32.exe 42 PID 1928 wrote to memory of 1648 1928 Emkaol32.exe 42 PID 1648 wrote to memory of 2092 1648 Eqgnokip.exe 43 PID 1648 wrote to memory of 2092 1648 Eqgnokip.exe 43 PID 1648 wrote to memory of 2092 1648 Eqgnokip.exe 43 PID 1648 wrote to memory of 2092 1648 Eqgnokip.exe 43 PID 2092 wrote to memory of 2320 2092 Emnndlod.exe 44 PID 2092 wrote to memory of 2320 2092 Emnndlod.exe 44 PID 2092 wrote to memory of 2320 2092 Emnndlod.exe 44 PID 2092 wrote to memory of 2320 2092 Emnndlod.exe 44 PID 2320 wrote to memory of 2392 2320 Echfaf32.exe 45 PID 2320 wrote to memory of 2392 2320 Echfaf32.exe 45 PID 2320 wrote to memory of 2392 2320 Echfaf32.exe 45 PID 2320 wrote to memory of 2392 2320 Echfaf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe"C:\Users\Admin\AppData\Local\Temp\9ed3c3d72f73d620ac06b7018f3666a7b7ce012c6fa0c763c60bc8f5de855e50N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe44⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe45⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe46⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe50⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe53⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe57⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe62⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe70⤵PID:2808
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe71⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe74⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe75⤵PID:2148
-
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe78⤵PID:2884
-
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe81⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe82⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe85⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe87⤵PID:2828
-
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe89⤵PID:1964
-
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe90⤵PID:2276
-
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe91⤵PID:3064
-
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe93⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe95⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe99⤵PID:1956
-
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe100⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe101⤵PID:2164
-
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe106⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe108⤵PID:1488
-
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe109⤵
- System Location Discovery: System Language Discovery
PID:496 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe111⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe114⤵PID:1612
-
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe116⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe117⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:716 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe119⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe120⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe121⤵
- Drops file in System32 directory
PID:1540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-