Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 03:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe
-
Size
96KB
-
MD5
cd8686bd90b15c5854f5ebe7df3e8170
-
SHA1
352fd88cee81547568a3e4a43e6e48a8658e83c3
-
SHA256
0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36
-
SHA512
58c8f55bb9a05507359f946feb8c22b029f85ab31707e820042dbc3206ae128d424698812baae47d1798770555bfa6c98ae0ba7c0ff93f7609ca713b46b7e1a3
-
SSDEEP
1536:9shfbN/7zltkjdWZXZcCxhmAS9mzL2tnt74S7V+5pUMv84WMRw8Dkqq:9yjN/1+jAgsip4Sp+7H7wWkqq
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inojhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckdgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edlafebn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdekgjno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnhngjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngpog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlbjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glpepj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqnae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkcilc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplllkdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegpaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcalnii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joidhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpmmfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghlfjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jggoqimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooembgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkicbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokqnhpa.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 Ebklic32.exe 2816 Eeiheo32.exe 2748 Elcpbigl.exe 2740 Elcpbigl.exe 2688 Ekfpmf32.exe 2608 Eodicd32.exe 2276 Eabepp32.exe 1616 Epeekmjk.exe 1816 Edaalk32.exe 2772 Egonhf32.exe 2920 Einjdb32.exe 2924 Eaebeoan.exe 2604 Edcnakpa.exe 2648 Ecfnmh32.exe 3012 Ekmfne32.exe 2200 Fmlbjq32.exe 1080 Fdekgjno.exe 2056 Fchkbg32.exe 1600 Fgdgcfmb.exe 860 Fmnopp32.exe 2376 Fplllkdc.exe 2332 Fckhhgcf.exe 2028 Fgfdie32.exe 1572 Feiddbbj.exe 2928 Fiepea32.exe 1552 Flclam32.exe 1716 Foahmh32.exe 1932 Fapeic32.exe 2700 Fhjmfnok.exe 2600 Fodebh32.exe 328 Fcpacf32.exe 2556 Fennoa32.exe 2792 Fhljkm32.exe 1096 Fnibcd32.exe 2968 Fepjea32.exe 1864 Ggagmjbq.exe 1136 Gkmbmh32.exe 2112 Gpjkeoha.exe 1608 Ggdcbi32.exe 1252 Gkoobhhg.exe 352 Gqlhkofn.exe 628 Gckdgjeb.exe 2244 Ggfpgi32.exe 2388 Glchpp32.exe 2420 Gdjqamme.exe 932 Gghmmilh.exe 1592 Gjgiidkl.exe 2572 Gnbejb32.exe 1796 Gqaafn32.exe 1584 Godaakic.exe 904 Gconbj32.exe 2764 Gfnjne32.exe 1740 Gjifodii.exe 2756 Ghlfjq32.exe 2768 Gmhbkohm.exe 1268 Hofngkga.exe 324 Hjlbdc32.exe 2496 Hinbppna.exe 1376 Hmjoqo32.exe 1300 Hkmollme.exe 1416 Hohkmj32.exe 2248 Hcdgmimg.exe 2832 Hbggif32.exe 2744 Hdecea32.exe -
Loads dropped DLL 64 IoCs
pid Process 2628 0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe 2628 0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe 2976 Ebklic32.exe 2976 Ebklic32.exe 2816 Eeiheo32.exe 2816 Eeiheo32.exe 2748 Elcpbigl.exe 2748 Elcpbigl.exe 2740 Elcpbigl.exe 2740 Elcpbigl.exe 2688 Ekfpmf32.exe 2688 Ekfpmf32.exe 2608 Eodicd32.exe 2608 Eodicd32.exe 2276 Eabepp32.exe 2276 Eabepp32.exe 1616 Epeekmjk.exe 1616 Epeekmjk.exe 1816 Edaalk32.exe 1816 Edaalk32.exe 2772 Egonhf32.exe 2772 Egonhf32.exe 2920 Einjdb32.exe 2920 Einjdb32.exe 2924 Eaebeoan.exe 2924 Eaebeoan.exe 2604 Edcnakpa.exe 2604 Edcnakpa.exe 2648 Ecfnmh32.exe 2648 Ecfnmh32.exe 3012 Ekmfne32.exe 3012 Ekmfne32.exe 2200 Fmlbjq32.exe 2200 Fmlbjq32.exe 1080 Fdekgjno.exe 1080 Fdekgjno.exe 2056 Fchkbg32.exe 2056 Fchkbg32.exe 1600 Fgdgcfmb.exe 1600 Fgdgcfmb.exe 860 Fmnopp32.exe 860 Fmnopp32.exe 2376 Fplllkdc.exe 2376 Fplllkdc.exe 2332 Fckhhgcf.exe 2332 Fckhhgcf.exe 2028 Fgfdie32.exe 2028 Fgfdie32.exe 1572 Feiddbbj.exe 1572 Feiddbbj.exe 2928 Fiepea32.exe 2928 Fiepea32.exe 1552 Flclam32.exe 1552 Flclam32.exe 1716 Foahmh32.exe 1716 Foahmh32.exe 1932 Fapeic32.exe 1932 Fapeic32.exe 2700 Fhjmfnok.exe 2700 Fhjmfnok.exe 2600 Fodebh32.exe 2600 Fodebh32.exe 328 Fcpacf32.exe 328 Fcpacf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bcpimq32.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Gehiioaj.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Bpmacdgo.dll Njnmbk32.exe File opened for modification C:\Windows\SysWOW64\Ilcalnii.exe Imaapa32.exe File opened for modification C:\Windows\SysWOW64\Lfbdci32.exe Lcdhgn32.exe File created C:\Windows\SysWOW64\Bgdkkc32.exe Bdfooh32.exe File created C:\Windows\SysWOW64\Efedga32.exe Dpklkgoj.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Iphgln32.exe Iaegpaao.exe File opened for modification C:\Windows\SysWOW64\Icdcllpc.exe Iphgln32.exe File opened for modification C:\Windows\SysWOW64\Kmegjdad.exe Kijkje32.exe File created C:\Windows\SysWOW64\Ammhpd32.dll Lpflkb32.exe File created C:\Windows\SysWOW64\Djgfah32.dll Dpklkgoj.exe File created C:\Windows\SysWOW64\Giolnomh.exe Gecpnp32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kpieengb.exe File created C:\Windows\SysWOW64\Onmnmm32.dll Fmnopp32.exe File created C:\Windows\SysWOW64\Jokbld32.dll Gqlhkofn.exe File created C:\Windows\SysWOW64\Keacjqlh.dll Gdjqamme.exe File opened for modification C:\Windows\SysWOW64\Hinbppna.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Iddlde32.dll Llomfpag.exe File opened for modification C:\Windows\SysWOW64\Cjhabndo.exe Cgidfcdk.exe File opened for modification C:\Windows\SysWOW64\Edlafebn.exe Eldiehbk.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Eodicd32.exe File opened for modification C:\Windows\SysWOW64\Apkgpf32.exe Anljck32.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Cjhabndo.exe File created C:\Windows\SysWOW64\Dgnjqe32.exe Deondj32.exe File opened for modification C:\Windows\SysWOW64\Fdgdji32.exe Feddombd.exe File created C:\Windows\SysWOW64\Kipmhc32.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Ibkmchbh.exe Ipmqgmcd.exe File opened for modification C:\Windows\SysWOW64\Hokhbj32.exe Hkolakkb.exe File created C:\Windows\SysWOW64\Ipjdameg.exe Ijnkifgp.exe File created C:\Windows\SysWOW64\Iqjcnfeg.dll Nkkmgncb.exe File created C:\Windows\SysWOW64\Bolcma32.exe Bgdkkc32.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hkjkle32.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe Imbjcpnn.exe File created C:\Windows\SysWOW64\Jbpgka32.dll Fcpacf32.exe File opened for modification C:\Windows\SysWOW64\Ldheebad.exe Kajiigba.exe File created C:\Windows\SysWOW64\Oijoclhk.dll Mcknhm32.exe File created C:\Windows\SysWOW64\Mkpdghaq.dll Mdogedmh.exe File created C:\Windows\SysWOW64\Omckoi32.exe Ojeobm32.exe File opened for modification C:\Windows\SysWOW64\Fggmldfp.exe Fdiqpigl.exe File created C:\Windows\SysWOW64\Fimoiopk.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Goqnae32.exe File created C:\Windows\SysWOW64\Ibkmchbh.exe Ipmqgmcd.exe File created C:\Windows\SysWOW64\Ibnhnc32.dll Jggoqimd.exe File opened for modification C:\Windows\SysWOW64\Jjfkmdlg.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Aijpfppe.dll Hgqlafap.exe File opened for modification C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bhdhefpc.exe File created C:\Windows\SysWOW64\Jjkkbjln.exe Jhmofo32.exe File opened for modification C:\Windows\SysWOW64\Llmmpcfe.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Pkkkap32.dll Mhcmedli.exe File opened for modification C:\Windows\SysWOW64\Mobomnoq.exe Mmccqbpm.exe File opened for modification C:\Windows\SysWOW64\Ncfalqpm.exe Nqhepeai.exe File created C:\Windows\SysWOW64\Ohqngjgk.dll Ofnpnkgf.exe File created C:\Windows\SysWOW64\Eimcjl32.exe Eafkhn32.exe File opened for modification C:\Windows\SysWOW64\Fepjea32.exe Fnibcd32.exe File created C:\Windows\SysWOW64\Iebldo32.exe Ifolhann.exe File created C:\Windows\SysWOW64\Mbchni32.exe Mnglnj32.exe File created C:\Windows\SysWOW64\Ohpboqdk.dll Mloiec32.exe File created C:\Windows\SysWOW64\Hcdgmimg.exe Hohkmj32.exe File opened for modification C:\Windows\SysWOW64\Hdecea32.exe Hbggif32.exe File created C:\Windows\SysWOW64\Jeomfi32.dll Piliii32.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe Kipmhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5272 5220 WerFault.exe 520 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deondj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjbkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdgmimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpdbohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqaafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japciodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjdpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdgcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaglcgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhicbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplllkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbnjjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegpjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghmmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hieiqo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhgdb32.dll" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meoaif32.dll" Ohbikbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oejcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmppehkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebqngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgkfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjigmkld.dll" Ajckilei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjeoijn.dll" Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Colpld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfieigio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpboqdk.dll" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbcknkna.dll" Ncfalqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppinkcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgeelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpjkeoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mappnp32.dll" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgacn32.dll" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqbnn32.dll" Fgdgcfmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcbfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angldo32.dll" Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckkff32.dll" Kindeddf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oecmogln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokbld32.dll" Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofoabofe.dll" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgmdapml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpmap32.dll" Edaalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfgebjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldheebad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lljpjchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkalpla.dll" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcceba32.dll" Eaebeoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgkoeaq.dll" Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epflllfi.dll" Mhfjjdjf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2976 2628 0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe 31 PID 2628 wrote to memory of 2976 2628 0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe 31 PID 2628 wrote to memory of 2976 2628 0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe 31 PID 2628 wrote to memory of 2976 2628 0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe 31 PID 2976 wrote to memory of 2816 2976 Ebklic32.exe 32 PID 2976 wrote to memory of 2816 2976 Ebklic32.exe 32 PID 2976 wrote to memory of 2816 2976 Ebklic32.exe 32 PID 2976 wrote to memory of 2816 2976 Ebklic32.exe 32 PID 2816 wrote to memory of 2748 2816 Eeiheo32.exe 33 PID 2816 wrote to memory of 2748 2816 Eeiheo32.exe 33 PID 2816 wrote to memory of 2748 2816 Eeiheo32.exe 33 PID 2816 wrote to memory of 2748 2816 Eeiheo32.exe 33 PID 2748 wrote to memory of 2740 2748 Elcpbigl.exe 34 PID 2748 wrote to memory of 2740 2748 Elcpbigl.exe 34 PID 2748 wrote to memory of 2740 2748 Elcpbigl.exe 34 PID 2748 wrote to memory of 2740 2748 Elcpbigl.exe 34 PID 2740 wrote to memory of 2688 2740 Elcpbigl.exe 35 PID 2740 wrote to memory of 2688 2740 Elcpbigl.exe 35 PID 2740 wrote to memory of 2688 2740 Elcpbigl.exe 35 PID 2740 wrote to memory of 2688 2740 Elcpbigl.exe 35 PID 2688 wrote to memory of 2608 2688 Ekfpmf32.exe 36 PID 2688 wrote to memory of 2608 2688 Ekfpmf32.exe 36 PID 2688 wrote to memory of 2608 2688 Ekfpmf32.exe 36 PID 2688 wrote to memory of 2608 2688 Ekfpmf32.exe 36 PID 2608 wrote to memory of 2276 2608 Eodicd32.exe 37 PID 2608 wrote to memory of 2276 2608 Eodicd32.exe 37 PID 2608 wrote to memory of 2276 2608 Eodicd32.exe 37 PID 2608 wrote to memory of 2276 2608 Eodicd32.exe 37 PID 2276 wrote to memory of 1616 2276 Eabepp32.exe 38 PID 2276 wrote to memory of 1616 2276 Eabepp32.exe 38 PID 2276 wrote to memory of 1616 2276 Eabepp32.exe 38 PID 2276 wrote to memory of 1616 2276 Eabepp32.exe 38 PID 1616 wrote to memory of 1816 1616 Epeekmjk.exe 39 PID 1616 wrote to memory of 1816 1616 Epeekmjk.exe 39 PID 1616 wrote to memory of 1816 1616 Epeekmjk.exe 39 PID 1616 wrote to memory of 1816 1616 Epeekmjk.exe 39 PID 1816 wrote to memory of 2772 1816 Edaalk32.exe 40 PID 1816 wrote to memory of 2772 1816 Edaalk32.exe 40 PID 1816 wrote to memory of 2772 1816 Edaalk32.exe 40 PID 1816 wrote to memory of 2772 1816 Edaalk32.exe 40 PID 2772 wrote to memory of 2920 2772 Egonhf32.exe 41 PID 2772 wrote to memory of 2920 2772 Egonhf32.exe 41 PID 2772 wrote to memory of 2920 2772 Egonhf32.exe 41 PID 2772 wrote to memory of 2920 2772 Egonhf32.exe 41 PID 2920 wrote to memory of 2924 2920 Einjdb32.exe 42 PID 2920 wrote to memory of 2924 2920 Einjdb32.exe 42 PID 2920 wrote to memory of 2924 2920 Einjdb32.exe 42 PID 2920 wrote to memory of 2924 2920 Einjdb32.exe 42 PID 2924 wrote to memory of 2604 2924 Eaebeoan.exe 43 PID 2924 wrote to memory of 2604 2924 Eaebeoan.exe 43 PID 2924 wrote to memory of 2604 2924 Eaebeoan.exe 43 PID 2924 wrote to memory of 2604 2924 Eaebeoan.exe 43 PID 2604 wrote to memory of 2648 2604 Edcnakpa.exe 44 PID 2604 wrote to memory of 2648 2604 Edcnakpa.exe 44 PID 2604 wrote to memory of 2648 2604 Edcnakpa.exe 44 PID 2604 wrote to memory of 2648 2604 Edcnakpa.exe 44 PID 2648 wrote to memory of 3012 2648 Ecfnmh32.exe 45 PID 2648 wrote to memory of 3012 2648 Ecfnmh32.exe 45 PID 2648 wrote to memory of 3012 2648 Ecfnmh32.exe 45 PID 2648 wrote to memory of 3012 2648 Ecfnmh32.exe 45 PID 3012 wrote to memory of 2200 3012 Ekmfne32.exe 46 PID 3012 wrote to memory of 2200 3012 Ekmfne32.exe 46 PID 3012 wrote to memory of 2200 3012 Ekmfne32.exe 46 PID 3012 wrote to memory of 2200 3012 Ekmfne32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe"C:\Users\Admin\AppData\Local\Temp\0389b605eb80521a86b538d9286327df6727373d3203634d70ec68e099789f36N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe33⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe34⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe36⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe37⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe38⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe41⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe44⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe45⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe48⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe51⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe52⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe54⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe56⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe57⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe60⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe61⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe66⤵PID:1996
-
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe67⤵PID:1032
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe68⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe71⤵PID:536
-
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe72⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe73⤵PID:1760
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe74⤵PID:1612
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe75⤵PID:1940
-
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe76⤵PID:1696
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe78⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe79⤵PID:2676
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe81⤵PID:2692
-
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe82⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:808 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe84⤵PID:1564
-
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe85⤵PID:2596
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe86⤵PID:1708
-
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe87⤵PID:1396
-
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe89⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe90⤵PID:912
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe91⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe92⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe93⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe94⤵PID:1460
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe95⤵PID:1744
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe96⤵PID:1700
-
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe97⤵PID:864
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe98⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe99⤵PID:1284
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe100⤵PID:2352
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe101⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe103⤵PID:1780
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe104⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe105⤵PID:2304
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe106⤵PID:1544
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe107⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe108⤵PID:2912
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe110⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe111⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe112⤵PID:2904
-
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe113⤵PID:2060
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe114⤵PID:2284
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe116⤵PID:2488
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe118⤵PID:1404
-
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe119⤵PID:684
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe120⤵PID:1332
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-