Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 15:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe
-
Size
90KB
-
MD5
d4c090d529400d4801eaa99ef6a92390
-
SHA1
10cd6b6d45fc435879989acb55a1a6e960328056
-
SHA256
8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1
-
SHA512
8824d6a30c601be9660dde5e789133f446df6c838e3ceeb2e791776d430adaf9a5111918d4f2427a849fd1c6f5976fd625fdae32fd4bc48bc973ff997135823b
-
SSDEEP
1536:LlVOQeT3sez3qkz01A84V5JSZisItkdiJiPw8G2hu/Ub0VkVNK:PveT3sTkzMAj5JSZDItkIJqGAu/Ub0+U
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfmmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpbnaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljeeqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ninjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Innbde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjgll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npffaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aialjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhckloge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klonqpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkfhglen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeidfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpjga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaondi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnijnjbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omeini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkifgpeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjmlaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogddhmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdajpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abgdnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhdefo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpmifoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnkpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlpqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Podbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naionh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkmobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgdpgqgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gipqpplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcffgnnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abiqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neekogkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfdaid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loocanbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnfmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiljcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedpdpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcaqmkpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheofahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knddcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paghojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeccdila.exe -
Executes dropped EXE 64 IoCs
pid Process 1132 Cpbnaj32.exe 2464 Cglfndaa.exe 2836 Cikbjpqd.exe 2968 Ceacoqfi.exe 2860 Cllkkk32.exe 2756 Cedpdpdf.exe 2260 Clnhajlc.exe 2396 Dchpnd32.exe 264 Dibhjokm.exe 2908 Dkcebg32.exe 2752 Dammoahg.exe 2964 Ddliklgk.exe 2664 Dndndbnl.exe 840 Dekeeonn.exe 2096 Dkhnmfle.exe 2156 Docjne32.exe 2400 Dgoobg32.exe 2072 Dkjkcfjc.exe 2568 Dadcppbp.exe 2556 Dcepgh32.exe 800 Enkdda32.exe 2456 Echlmh32.exe 2460 Ejadibmh.exe 1528 Elpqemll.exe 2628 Efhenccl.exe 2044 Elbmkm32.exe 2952 Ebofcd32.exe 2896 Efkbdbai.exe 408 Eocfmh32.exe 2828 Efmoib32.exe 2720 Edpoeoea.exe 1732 Ekjgbi32.exe 1036 Ffpkob32.exe 2432 Fhngkm32.exe 1504 Fqilppic.exe 1084 Fipdqmje.exe 3004 Fgcdlj32.exe 2268 Fqkieogp.exe 1740 Fkambhgf.exe 2940 Fnoiocfj.exe 2112 Fghngimj.exe 2216 Ffkncf32.exe 908 Fjfjcdln.exe 1064 Fcoolj32.exe 1676 Fjhgidjk.exe 2632 Fikgda32.exe 1400 Gpeoakhc.exe 1244 Gbdlnf32.exe 2820 Gmipko32.exe 2920 Gllpflng.exe 2696 Gcchgini.exe 2748 Gfadcemm.exe 2740 Gipqpplq.exe 1616 Gmlmpo32.exe 3000 Glomllkd.exe 3036 Gbheif32.exe 1724 Gfdaid32.exe 2344 Gegaeabe.exe 2184 Ghenamai.exe 2180 Glaiak32.exe 2220 Gplebjbk.exe 1192 Gbkaneao.exe 1924 Geinjapb.exe 2200 Giejkp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe 2296 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe 1132 Cpbnaj32.exe 1132 Cpbnaj32.exe 2464 Cglfndaa.exe 2464 Cglfndaa.exe 2836 Cikbjpqd.exe 2836 Cikbjpqd.exe 2968 Ceacoqfi.exe 2968 Ceacoqfi.exe 2860 Cllkkk32.exe 2860 Cllkkk32.exe 2756 Cedpdpdf.exe 2756 Cedpdpdf.exe 2260 Clnhajlc.exe 2260 Clnhajlc.exe 2396 Dchpnd32.exe 2396 Dchpnd32.exe 264 Dibhjokm.exe 264 Dibhjokm.exe 2908 Dkcebg32.exe 2908 Dkcebg32.exe 2752 Dammoahg.exe 2752 Dammoahg.exe 2964 Ddliklgk.exe 2964 Ddliklgk.exe 2664 Dndndbnl.exe 2664 Dndndbnl.exe 840 Dekeeonn.exe 840 Dekeeonn.exe 2096 Dkhnmfle.exe 2096 Dkhnmfle.exe 2156 Docjne32.exe 2156 Docjne32.exe 2400 Dgoobg32.exe 2400 Dgoobg32.exe 2072 Dkjkcfjc.exe 2072 Dkjkcfjc.exe 2568 Dadcppbp.exe 2568 Dadcppbp.exe 2556 Dcepgh32.exe 2556 Dcepgh32.exe 800 Enkdda32.exe 800 Enkdda32.exe 2456 Echlmh32.exe 2456 Echlmh32.exe 2460 Ejadibmh.exe 2460 Ejadibmh.exe 1528 Elpqemll.exe 1528 Elpqemll.exe 2628 Efhenccl.exe 2628 Efhenccl.exe 2044 Elbmkm32.exe 2044 Elbmkm32.exe 2952 Ebofcd32.exe 2952 Ebofcd32.exe 2896 Efkbdbai.exe 2896 Efkbdbai.exe 408 Eocfmh32.exe 408 Eocfmh32.exe 2828 Efmoib32.exe 2828 Efmoib32.exe 2720 Edpoeoea.exe 2720 Edpoeoea.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efmoib32.exe Eocfmh32.exe File created C:\Windows\SysWOW64\Papank32.exe Pcmabnhm.exe File created C:\Windows\SysWOW64\Jpobja32.dll Aijfihip.exe File created C:\Windows\SysWOW64\Kgqlke32.dll Eocfmh32.exe File created C:\Windows\SysWOW64\Fcoolj32.exe Fjfjcdln.exe File created C:\Windows\SysWOW64\Hhopgkin.exe Hpghfn32.exe File opened for modification C:\Windows\SysWOW64\Nphbfplf.exe Nhakecld.exe File created C:\Windows\SysWOW64\Nbfobllj.exe Nphbfplf.exe File opened for modification C:\Windows\SysWOW64\Akmlacdn.exe Amjkefmd.exe File created C:\Windows\SysWOW64\Plfmff32.dll Jhniebne.exe File opened for modification C:\Windows\SysWOW64\Lmqgec32.exe Liekddkh.exe File opened for modification C:\Windows\SysWOW64\Pgdpgqgg.exe Pchdfb32.exe File created C:\Windows\SysWOW64\Ejlgciom.dll Hhjgll32.exe File opened for modification C:\Windows\SysWOW64\Opebpdad.exe Omgfdhbq.exe File opened for modification C:\Windows\SysWOW64\Bjgbmoda.exe Bghfacem.exe File created C:\Windows\SysWOW64\Njfiqneo.dll Hffjng32.exe File created C:\Windows\SysWOW64\Hmpbja32.exe Hidfjckg.exe File created C:\Windows\SysWOW64\Kheofahm.exe Kfgcieii.exe File created C:\Windows\SysWOW64\Mlhmkbhb.exe Miiaogio.exe File opened for modification C:\Windows\SysWOW64\Omjbihpn.exe Okkfmmqj.exe File opened for modification C:\Windows\SysWOW64\Ebofcd32.exe Elbmkm32.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nmgjee32.exe File created C:\Windows\SysWOW64\Cjehbgng.dll Qdhqpe32.exe File created C:\Windows\SysWOW64\Qgfmlp32.exe Qdhqpe32.exe File created C:\Windows\SysWOW64\Cglfndaa.exe Cpbnaj32.exe File created C:\Windows\SysWOW64\Iioloaac.dll Hmiljb32.exe File created C:\Windows\SysWOW64\Okgfkeda.dll Laeidfdn.exe File created C:\Windows\SysWOW64\Mnncii32.exe Mjbghkfi.exe File created C:\Windows\SysWOW64\Hdqcfdkh.dll Migdig32.exe File created C:\Windows\SysWOW64\Mbpibm32.exe Manljd32.exe File created C:\Windows\SysWOW64\Imfdhdkf.dll Nfpnnk32.exe File created C:\Windows\SysWOW64\Khcbpa32.exe Kfdfdf32.exe File opened for modification C:\Windows\SysWOW64\Meeopdhb.exe Majcoepi.exe File created C:\Windows\SysWOW64\Pkgjak32.dll Omgfdhbq.exe File created C:\Windows\SysWOW64\Khilfg32.dll Abeghmmn.exe File opened for modification C:\Windows\SysWOW64\Ieppjclf.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Kkckblgq.exe Kheofahm.exe File created C:\Windows\SysWOW64\Lginle32.dll Lmlnjcgg.exe File created C:\Windows\SysWOW64\Jpnkep32.exe Jidbifmb.exe File created C:\Windows\SysWOW64\Degjpgmg.dll Jpnkep32.exe File opened for modification C:\Windows\SysWOW64\Kjkehhjf.exe Kcamln32.exe File opened for modification C:\Windows\SysWOW64\Lbkchj32.exe Lomglo32.exe File created C:\Windows\SysWOW64\Hnfgbfba.dll Npffaq32.exe File created C:\Windows\SysWOW64\Fikgda32.exe Fjhgidjk.exe File opened for modification C:\Windows\SysWOW64\Jllakpdk.exe Jhqeka32.exe File created C:\Windows\SysWOW64\Lqnmhm32.dll Kqemeb32.exe File created C:\Windows\SysWOW64\Qlckjo32.dll Nkbcgnie.exe File created C:\Windows\SysWOW64\Lkfdfo32.exe Lelljepm.exe File created C:\Windows\SysWOW64\Opebpdad.exe Omgfdhbq.exe File opened for modification C:\Windows\SysWOW64\Glaiak32.exe Ghenamai.exe File created C:\Windows\SysWOW64\Cedpdpdf.exe Cllkkk32.exe File created C:\Windows\SysWOW64\Gdkniice.dll Gfadcemm.exe File opened for modification C:\Windows\SysWOW64\Mcjlap32.exe Malpee32.exe File created C:\Windows\SysWOW64\Nmefoa32.dll Ophoecoa.exe File created C:\Windows\SysWOW64\Jcfnnang.dll Pgacaaij.exe File created C:\Windows\SysWOW64\Denlga32.dll Ankhmncb.exe File opened for modification C:\Windows\SysWOW64\Kmjaddii.exe Kjkehhjf.exe File opened for modification C:\Windows\SysWOW64\Nfmahkhh.exe Nbbegl32.exe File created C:\Windows\SysWOW64\Ejadibmh.exe Echlmh32.exe File created C:\Windows\SysWOW64\Bnobnc32.dll Ffkncf32.exe File created C:\Windows\SysWOW64\Hmfmoo32.dll Ihlpqonl.exe File created C:\Windows\SysWOW64\Becbne32.dll Knpkhhhg.exe File created C:\Windows\SysWOW64\Bjakil32.dll Aaondi32.exe File created C:\Windows\SysWOW64\Alfoikga.dll Gjkcod32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3108 3308 WerFault.exe 330 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpapgnpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanhihno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejadibmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiaogio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjkcfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcoolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljeeqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnabcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekkpqnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhmeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noplmlok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olalpdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcmlnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljnaocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neekogkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfiaqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dammoahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhgcgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodnfbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqemeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkfcjqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcepgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbilhkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhenccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkcod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelljepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfhglen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgdnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnmfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibadnhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlpqonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgjqook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbfplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnfcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdlnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giejkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkehhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbnaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gegaeabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akljeqga.dll" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cllkkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecidcb.dll" Docjne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfdaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbqhkfi.dll" Mnkfcjqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjnanhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehbgng.dll" Qdhqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll" Anpahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noplmlok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmlmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjilde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgacaaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbne32.dll" Knpkhhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiglh32.dll" Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll" Abiqcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigpekfk.dll" Kcamln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohegbcn.dll" Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddliklgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqqdjceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffpkob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcmabnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnnang.dll" Pgacaaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhbqc32.dll" Geinjapb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfkhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogbkiop.dll" Ogbgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pabncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamcfo32.dll" Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdomige.dll" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kccian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggbjggc.dll" Ogpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iekgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkphm32.dll" Lbkchj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbfobllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oophlpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll" Afnfcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllakpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lffohikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dekeeonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foibjlda.dll" Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll" Pdcgeejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lomglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgbdo32.dll" Lijepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfdhdkf.dll" Nfpnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfhogfe.dll" Phhmeehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnpeijla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elbmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Degjpgmg.dll" Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpghnp.dll" Ddliklgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkhnmfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fikgda32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1132 2296 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe 30 PID 2296 wrote to memory of 1132 2296 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe 30 PID 2296 wrote to memory of 1132 2296 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe 30 PID 2296 wrote to memory of 1132 2296 8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe 30 PID 1132 wrote to memory of 2464 1132 Cpbnaj32.exe 31 PID 1132 wrote to memory of 2464 1132 Cpbnaj32.exe 31 PID 1132 wrote to memory of 2464 1132 Cpbnaj32.exe 31 PID 1132 wrote to memory of 2464 1132 Cpbnaj32.exe 31 PID 2464 wrote to memory of 2836 2464 Cglfndaa.exe 32 PID 2464 wrote to memory of 2836 2464 Cglfndaa.exe 32 PID 2464 wrote to memory of 2836 2464 Cglfndaa.exe 32 PID 2464 wrote to memory of 2836 2464 Cglfndaa.exe 32 PID 2836 wrote to memory of 2968 2836 Cikbjpqd.exe 33 PID 2836 wrote to memory of 2968 2836 Cikbjpqd.exe 33 PID 2836 wrote to memory of 2968 2836 Cikbjpqd.exe 33 PID 2836 wrote to memory of 2968 2836 Cikbjpqd.exe 33 PID 2968 wrote to memory of 2860 2968 Ceacoqfi.exe 34 PID 2968 wrote to memory of 2860 2968 Ceacoqfi.exe 34 PID 2968 wrote to memory of 2860 2968 Ceacoqfi.exe 34 PID 2968 wrote to memory of 2860 2968 Ceacoqfi.exe 34 PID 2860 wrote to memory of 2756 2860 Cllkkk32.exe 35 PID 2860 wrote to memory of 2756 2860 Cllkkk32.exe 35 PID 2860 wrote to memory of 2756 2860 Cllkkk32.exe 35 PID 2860 wrote to memory of 2756 2860 Cllkkk32.exe 35 PID 2756 wrote to memory of 2260 2756 Cedpdpdf.exe 36 PID 2756 wrote to memory of 2260 2756 Cedpdpdf.exe 36 PID 2756 wrote to memory of 2260 2756 Cedpdpdf.exe 36 PID 2756 wrote to memory of 2260 2756 Cedpdpdf.exe 36 PID 2260 wrote to memory of 2396 2260 Clnhajlc.exe 37 PID 2260 wrote to memory of 2396 2260 Clnhajlc.exe 37 PID 2260 wrote to memory of 2396 2260 Clnhajlc.exe 37 PID 2260 wrote to memory of 2396 2260 Clnhajlc.exe 37 PID 2396 wrote to memory of 264 2396 Dchpnd32.exe 38 PID 2396 wrote to memory of 264 2396 Dchpnd32.exe 38 PID 2396 wrote to memory of 264 2396 Dchpnd32.exe 38 PID 2396 wrote to memory of 264 2396 Dchpnd32.exe 38 PID 264 wrote to memory of 2908 264 Dibhjokm.exe 39 PID 264 wrote to memory of 2908 264 Dibhjokm.exe 39 PID 264 wrote to memory of 2908 264 Dibhjokm.exe 39 PID 264 wrote to memory of 2908 264 Dibhjokm.exe 39 PID 2908 wrote to memory of 2752 2908 Dkcebg32.exe 40 PID 2908 wrote to memory of 2752 2908 Dkcebg32.exe 40 PID 2908 wrote to memory of 2752 2908 Dkcebg32.exe 40 PID 2908 wrote to memory of 2752 2908 Dkcebg32.exe 40 PID 2752 wrote to memory of 2964 2752 Dammoahg.exe 41 PID 2752 wrote to memory of 2964 2752 Dammoahg.exe 41 PID 2752 wrote to memory of 2964 2752 Dammoahg.exe 41 PID 2752 wrote to memory of 2964 2752 Dammoahg.exe 41 PID 2964 wrote to memory of 2664 2964 Ddliklgk.exe 42 PID 2964 wrote to memory of 2664 2964 Ddliklgk.exe 42 PID 2964 wrote to memory of 2664 2964 Ddliklgk.exe 42 PID 2964 wrote to memory of 2664 2964 Ddliklgk.exe 42 PID 2664 wrote to memory of 840 2664 Dndndbnl.exe 43 PID 2664 wrote to memory of 840 2664 Dndndbnl.exe 43 PID 2664 wrote to memory of 840 2664 Dndndbnl.exe 43 PID 2664 wrote to memory of 840 2664 Dndndbnl.exe 43 PID 840 wrote to memory of 2096 840 Dekeeonn.exe 44 PID 840 wrote to memory of 2096 840 Dekeeonn.exe 44 PID 840 wrote to memory of 2096 840 Dekeeonn.exe 44 PID 840 wrote to memory of 2096 840 Dekeeonn.exe 44 PID 2096 wrote to memory of 2156 2096 Dkhnmfle.exe 45 PID 2096 wrote to memory of 2156 2096 Dkhnmfle.exe 45 PID 2096 wrote to memory of 2156 2096 Dkhnmfle.exe 45 PID 2096 wrote to memory of 2156 2096 Dkhnmfle.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe"C:\Users\Admin\AppData\Local\Temp\8b8907454ef43aed7081a4e9c03dfb062e228d62d9ee24c4b2216ed92d5bcae1N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe33⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe35⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe36⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe37⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe38⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe39⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe40⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fnoiocfj.exeC:\Windows\system32\Fnoiocfj.exe41⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe42⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe48⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe50⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe52⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe57⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe58⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe62⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe63⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe64⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe68⤵PID:2644
-
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Hhjgll32.exeC:\Windows\system32\Hhjgll32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe73⤵PID:2280
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe75⤵
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe76⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe77⤵PID:1840
-
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe78⤵PID:2028
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe79⤵PID:2020
-
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe80⤵PID:592
-
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe81⤵PID:1696
-
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe82⤵PID:1952
-
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe84⤵PID:1648
-
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe85⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe86⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe87⤵PID:2700
-
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe88⤵PID:2056
-
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe89⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe91⤵PID:1576
-
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe92⤵PID:2348
-
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe95⤵PID:832
-
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe97⤵PID:1788
-
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe98⤵PID:2912
-
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe99⤵PID:2236
-
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe100⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe101⤵PID:956
-
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe102⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Innbde32.exeC:\Windows\system32\Innbde32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe104⤵PID:2372
-
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe105⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe106⤵PID:2416
-
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe109⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe110⤵PID:2392
-
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe111⤵PID:2876
-
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe112⤵PID:2704
-
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe113⤵PID:1940
-
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe115⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe116⤵PID:1388
-
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe117⤵PID:1684
-
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe120⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-