Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 11:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe
-
Size
96KB
-
MD5
6fdf4bfca92da0c7a7c2e83d20af7c70
-
SHA1
ae80c4572005a9d2ec9cef47837f42775d21fcde
-
SHA256
910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671d
-
SHA512
6d0d82d284b79175e19e5dbed1cc64af5b60956d1e35bd904748a0dc60712a408ae3eddba3d58789bfbdbf8f15d56ad9ad100226c204ad510c5df66747b4b3c6
-
SSDEEP
1536:hBu45u15HadkhNUPijKxF/vhir2ZRMllu02EVX6u5hrUQVoMdUT+irF:C45u/HadkPU0MFIr2ZRMlU0lVX64hr1k
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhgcgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmihgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikgfdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hplbamdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqifajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npffaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcncbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdndggcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipleo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmcikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miiaogio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikapdqoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jneoojeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjgfomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkblohek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjffbhnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkfghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jibpghbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqdelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjoohdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmelpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqiingf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdfni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heakefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Polobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddpbfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blibghmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onocon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idmnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flfnhnfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfikod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgeogmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maiqfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloilcci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjqhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkilgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gekkpqnp.exe -
Executes dropped EXE 64 IoCs
pid Process 3000 Fpgnoo32.exe 2504 Fnjnkkbk.exe 2792 Fedfgejh.exe 2840 Fnmjpk32.exe 2864 Fbhfajia.exe 2612 Flqkjo32.exe 2876 Fjckelfm.exe 452 Fdlpnamm.exe 1676 Ffjljmla.exe 1936 Fappgflg.exe 1960 Fpbqcb32.exe 1380 Fikelhib.exe 472 Fmfalg32.exe 1492 Gbcien32.exe 2356 Gjjafkpe.exe 2196 Gpgjnbnl.exe 1272 Gbffjmmp.exe 2512 Gmkjgfmf.exe 2852 Gpjfcali.exe 2812 Gefolhja.exe 2036 Gibkmgcj.exe 1476 Ghekhd32.exe 2200 Goocenaa.exe 1440 Gidhbgag.exe 1480 Glbdnbpk.exe 2052 Gkedjo32.exe 2776 Gekhgh32.exe 2788 Gdnibdmf.exe 2752 Gkhaooec.exe 2960 Hmfmkjdf.exe 2592 Hhlaiccm.exe 2108 Hmijajbd.exe 2308 Hadfah32.exe 1360 Hafbghhj.exe 1728 Hdeoccgn.exe 1904 Hdgkicek.exe 2428 Hcjldp32.exe 1924 Hnppaill.exe 3048 Hpnlndkp.exe 3044 Hghdjn32.exe 2496 Ijfqfj32.exe 2344 Ihiabfhk.exe 2088 Icoepohq.exe 1884 Iemalkgd.exe 1788 Ilgjhena.exe 2352 Ikjjda32.exe 604 Icabeo32.exe 2372 Ilifndlo.exe 2884 Iklfia32.exe 2820 Iafofkkf.exe 2172 Idekbgji.exe 2824 Idekbgji.exe 2712 Ihpgce32.exe 2600 Ikocoa32.exe 2668 Iojopp32.exe 2660 Iqllghon.exe 2324 Idghhf32.exe 2696 Igeddb32.exe 1148 Ikapdqoc.exe 1616 Ijdppm32.exe 3028 Ibkhak32.exe 1892 Jcleiclo.exe 1800 Jghqia32.exe 892 Jkcmjpma.exe -
Loads dropped DLL 64 IoCs
pid Process 1760 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe 1760 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe 3000 Fpgnoo32.exe 3000 Fpgnoo32.exe 2504 Fnjnkkbk.exe 2504 Fnjnkkbk.exe 2792 Fedfgejh.exe 2792 Fedfgejh.exe 2840 Fnmjpk32.exe 2840 Fnmjpk32.exe 2864 Fbhfajia.exe 2864 Fbhfajia.exe 2612 Flqkjo32.exe 2612 Flqkjo32.exe 2876 Fjckelfm.exe 2876 Fjckelfm.exe 452 Fdlpnamm.exe 452 Fdlpnamm.exe 1676 Ffjljmla.exe 1676 Ffjljmla.exe 1936 Fappgflg.exe 1936 Fappgflg.exe 1960 Fpbqcb32.exe 1960 Fpbqcb32.exe 1380 Fikelhib.exe 1380 Fikelhib.exe 472 Fmfalg32.exe 472 Fmfalg32.exe 1492 Gbcien32.exe 1492 Gbcien32.exe 2356 Gjjafkpe.exe 2356 Gjjafkpe.exe 2196 Gpgjnbnl.exe 2196 Gpgjnbnl.exe 1272 Gbffjmmp.exe 1272 Gbffjmmp.exe 2512 Gmkjgfmf.exe 2512 Gmkjgfmf.exe 2852 Gpjfcali.exe 2852 Gpjfcali.exe 2812 Gefolhja.exe 2812 Gefolhja.exe 2036 Gibkmgcj.exe 2036 Gibkmgcj.exe 1476 Ghekhd32.exe 1476 Ghekhd32.exe 2200 Goocenaa.exe 2200 Goocenaa.exe 1440 Gidhbgag.exe 1440 Gidhbgag.exe 1480 Glbdnbpk.exe 1480 Glbdnbpk.exe 2052 Gkedjo32.exe 2052 Gkedjo32.exe 2776 Gekhgh32.exe 2776 Gekhgh32.exe 2788 Gdnibdmf.exe 2788 Gdnibdmf.exe 2752 Gkhaooec.exe 2752 Gkhaooec.exe 2960 Hmfmkjdf.exe 2960 Hmfmkjdf.exe 2592 Hhlaiccm.exe 2592 Hhlaiccm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mlgkbi32.exe Miiofn32.exe File created C:\Windows\SysWOW64\Gllpflng.exe Gindjqnc.exe File created C:\Windows\SysWOW64\Moeodd32.dll Liboodmk.exe File opened for modification C:\Windows\SysWOW64\Nfmahkhh.exe Ndoelpid.exe File created C:\Windows\SysWOW64\Ijdppm32.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Ifpjem32.dll Dhleaq32.exe File opened for modification C:\Windows\SysWOW64\Habkeacd.exe Hndoifdp.exe File created C:\Windows\SysWOW64\Ahlfoh32.dll Mpkjgckc.exe File created C:\Windows\SysWOW64\Odfofhic.exe Oahbjmjp.exe File created C:\Windows\SysWOW64\Nfhpah32.dll Aplkah32.exe File created C:\Windows\SysWOW64\Fgjkmijh.exe Fpcblkje.exe File created C:\Windows\SysWOW64\Jogneifn.dll Gllpflng.exe File opened for modification C:\Windows\SysWOW64\Pfkkeq32.exe Pcmoie32.exe File created C:\Windows\SysWOW64\Qanolm32.exe Qmcclolh.exe File opened for modification C:\Windows\SysWOW64\Heakefnf.exe Hfnkji32.exe File created C:\Windows\SysWOW64\Hbfdeplh.dll Oipcnieb.exe File opened for modification C:\Windows\SysWOW64\Dkblohek.exe Dckcnj32.exe File created C:\Windows\SysWOW64\Olmjje32.dll Cllkkk32.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nljjqbfp.exe File opened for modification C:\Windows\SysWOW64\Bjfpdf32.exe Bldpiifb.exe File opened for modification C:\Windows\SysWOW64\Iokhcodo.exe Ilmlfcel.exe File created C:\Windows\SysWOW64\Laackgka.exe Lmfgkh32.exe File opened for modification C:\Windows\SysWOW64\Hhjgll32.exe Gekkpqnp.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hmijajbd.exe File opened for modification C:\Windows\SysWOW64\Nikkkn32.exe Nepokogo.exe File created C:\Windows\SysWOW64\Afbnec32.exe Ankedf32.exe File opened for modification C:\Windows\SysWOW64\Mbjfcnkg.exe Monjcp32.exe File created C:\Windows\SysWOW64\Lncacf32.dll Ocihgo32.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe File opened for modification C:\Windows\SysWOW64\Iojopp32.exe Ikocoa32.exe File created C:\Windows\SysWOW64\Gmamfddp.exe Gieaef32.exe File opened for modification C:\Windows\SysWOW64\Ajapoqmf.exe Afecna32.exe File created C:\Windows\SysWOW64\Ikmfgnde.dll Nlmffa32.exe File created C:\Windows\SysWOW64\Fiakkcma.exe Fjnkpf32.exe File created C:\Windows\SysWOW64\Kkilgb32.exe Kikokf32.exe File opened for modification C:\Windows\SysWOW64\Agqfme32.exe Aafnpkii.exe File opened for modification C:\Windows\SysWOW64\Palbgn32.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Kihbfg32.exe Kfjfik32.exe File opened for modification C:\Windows\SysWOW64\Lbhmok32.exe Lnlaomae.exe File created C:\Windows\SysWOW64\Clneaj32.dll Bjoohdbd.exe File created C:\Windows\SysWOW64\Lcffgnnc.exe Lqgjkbop.exe File created C:\Windows\SysWOW64\Gjjafkpe.exe Gbcien32.exe File created C:\Windows\SysWOW64\Oaonla32.dll Knohpo32.exe File created C:\Windows\SysWOW64\Ejcfme32.dll Kbkdpnil.exe File created C:\Windows\SysWOW64\Mchokq32.exe Meeopdhb.exe File opened for modification C:\Windows\SysWOW64\Oingii32.exe Okkfmmqj.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Hdgkicek.exe Hdeoccgn.exe File created C:\Windows\SysWOW64\Lodnjboi.exe Llebnfpe.exe File created C:\Windows\SysWOW64\Pgaimd32.dll Okqgcb32.exe File created C:\Windows\SysWOW64\Nlbgkgcc.exe Nmogpj32.exe File opened for modification C:\Windows\SysWOW64\Johaalea.exe Jpeafo32.exe File created C:\Windows\SysWOW64\Oggpcipi.dll Ijdppm32.exe File opened for modification C:\Windows\SysWOW64\Lmfgkh32.exe Lncgollm.exe File opened for modification C:\Windows\SysWOW64\Maocekoo.exe Moqgiopk.exe File created C:\Windows\SysWOW64\Bkghniol.dll Lcedne32.exe File opened for modification C:\Windows\SysWOW64\Mkaeob32.exe Mgfiocfl.exe File created C:\Windows\SysWOW64\Okhgod32.exe Ohjkcile.exe File created C:\Windows\SysWOW64\Gieaef32.exe Gfgdij32.exe File created C:\Windows\SysWOW64\Fdehpn32.exe Fbfldc32.exe File opened for modification C:\Windows\SysWOW64\Jcaqmkpn.exe Jofdll32.exe File created C:\Windows\SysWOW64\Naheae32.dll Kkckblgq.exe File created C:\Windows\SysWOW64\Jemffb32.dll Hafbghhj.exe File created C:\Windows\SysWOW64\Mebpakbq.exe Mbdcepcm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10116 10092 WerFault.exe 992 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllpflng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkambhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkaabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imcfjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdlnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaqmkpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqpebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkfkopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icabeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecobmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjboeenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikgda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomlfpdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpoofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqplqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockdmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioamlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbgnhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfhaoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodnjboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaoic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbqgolpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihdjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhncclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcjgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockbdebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emggflfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpejfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdndggcl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll" Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmebabj.dll" Glkgcmbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noepdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edeclabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndecfjhe.dll" Fpbihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifekkdfq.dll" Iqllghon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jipcbidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcepgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naheae32.dll" Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjknge32.dll" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblbj32.dll" Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icgdcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anhbdpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkhh32.dll" Aaikfkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bedcembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Komjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkbdan.dll" Jbedkhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lncgollm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikmibjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligleljk.dll" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdamdah.dll" Cjboeenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egflml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmodaadg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenancce.dll" Ikocoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjdcghg.dll" Oqgmmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aejglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amljgema.dll" Clfhml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glaiak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iboghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihhpdnkl.dll" Ihnmfoli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjhjbbl.dll" Hlpmmpam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcepgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnmpd32.dll" Glaiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akljeqga.dll" Mfihml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opjlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehclbpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdflgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdhnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfdfdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdmbhnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmqieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkkhmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgiplffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijnecld.dll" Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedeohin.dll" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphajbdq.dll" Ffjljmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipabfcdm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 3000 1760 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe 30 PID 1760 wrote to memory of 3000 1760 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe 30 PID 1760 wrote to memory of 3000 1760 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe 30 PID 1760 wrote to memory of 3000 1760 910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe 30 PID 3000 wrote to memory of 2504 3000 Fpgnoo32.exe 31 PID 3000 wrote to memory of 2504 3000 Fpgnoo32.exe 31 PID 3000 wrote to memory of 2504 3000 Fpgnoo32.exe 31 PID 3000 wrote to memory of 2504 3000 Fpgnoo32.exe 31 PID 2504 wrote to memory of 2792 2504 Fnjnkkbk.exe 32 PID 2504 wrote to memory of 2792 2504 Fnjnkkbk.exe 32 PID 2504 wrote to memory of 2792 2504 Fnjnkkbk.exe 32 PID 2504 wrote to memory of 2792 2504 Fnjnkkbk.exe 32 PID 2792 wrote to memory of 2840 2792 Fedfgejh.exe 33 PID 2792 wrote to memory of 2840 2792 Fedfgejh.exe 33 PID 2792 wrote to memory of 2840 2792 Fedfgejh.exe 33 PID 2792 wrote to memory of 2840 2792 Fedfgejh.exe 33 PID 2840 wrote to memory of 2864 2840 Fnmjpk32.exe 34 PID 2840 wrote to memory of 2864 2840 Fnmjpk32.exe 34 PID 2840 wrote to memory of 2864 2840 Fnmjpk32.exe 34 PID 2840 wrote to memory of 2864 2840 Fnmjpk32.exe 34 PID 2864 wrote to memory of 2612 2864 Fbhfajia.exe 35 PID 2864 wrote to memory of 2612 2864 Fbhfajia.exe 35 PID 2864 wrote to memory of 2612 2864 Fbhfajia.exe 35 PID 2864 wrote to memory of 2612 2864 Fbhfajia.exe 35 PID 2612 wrote to memory of 2876 2612 Flqkjo32.exe 36 PID 2612 wrote to memory of 2876 2612 Flqkjo32.exe 36 PID 2612 wrote to memory of 2876 2612 Flqkjo32.exe 36 PID 2612 wrote to memory of 2876 2612 Flqkjo32.exe 36 PID 2876 wrote to memory of 452 2876 Fjckelfm.exe 37 PID 2876 wrote to memory of 452 2876 Fjckelfm.exe 37 PID 2876 wrote to memory of 452 2876 Fjckelfm.exe 37 PID 2876 wrote to memory of 452 2876 Fjckelfm.exe 37 PID 452 wrote to memory of 1676 452 Fdlpnamm.exe 38 PID 452 wrote to memory of 1676 452 Fdlpnamm.exe 38 PID 452 wrote to memory of 1676 452 Fdlpnamm.exe 38 PID 452 wrote to memory of 1676 452 Fdlpnamm.exe 38 PID 1676 wrote to memory of 1936 1676 Ffjljmla.exe 39 PID 1676 wrote to memory of 1936 1676 Ffjljmla.exe 39 PID 1676 wrote to memory of 1936 1676 Ffjljmla.exe 39 PID 1676 wrote to memory of 1936 1676 Ffjljmla.exe 39 PID 1936 wrote to memory of 1960 1936 Fappgflg.exe 40 PID 1936 wrote to memory of 1960 1936 Fappgflg.exe 40 PID 1936 wrote to memory of 1960 1936 Fappgflg.exe 40 PID 1936 wrote to memory of 1960 1936 Fappgflg.exe 40 PID 1960 wrote to memory of 1380 1960 Fpbqcb32.exe 41 PID 1960 wrote to memory of 1380 1960 Fpbqcb32.exe 41 PID 1960 wrote to memory of 1380 1960 Fpbqcb32.exe 41 PID 1960 wrote to memory of 1380 1960 Fpbqcb32.exe 41 PID 1380 wrote to memory of 472 1380 Fikelhib.exe 42 PID 1380 wrote to memory of 472 1380 Fikelhib.exe 42 PID 1380 wrote to memory of 472 1380 Fikelhib.exe 42 PID 1380 wrote to memory of 472 1380 Fikelhib.exe 42 PID 472 wrote to memory of 1492 472 Fmfalg32.exe 43 PID 472 wrote to memory of 1492 472 Fmfalg32.exe 43 PID 472 wrote to memory of 1492 472 Fmfalg32.exe 43 PID 472 wrote to memory of 1492 472 Fmfalg32.exe 43 PID 1492 wrote to memory of 2356 1492 Gbcien32.exe 44 PID 1492 wrote to memory of 2356 1492 Gbcien32.exe 44 PID 1492 wrote to memory of 2356 1492 Gbcien32.exe 44 PID 1492 wrote to memory of 2356 1492 Gbcien32.exe 44 PID 2356 wrote to memory of 2196 2356 Gjjafkpe.exe 45 PID 2356 wrote to memory of 2196 2356 Gjjafkpe.exe 45 PID 2356 wrote to memory of 2196 2356 Gjjafkpe.exe 45 PID 2356 wrote to memory of 2196 2356 Gjjafkpe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe"C:\Users\Admin\AppData\Local\Temp\910594afd14d0f57ce3ab8ffbc4d923e623bb3b5732580a0d785059dc501671dN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe34⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe37⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe38⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe39⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe40⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe41⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe42⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe43⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe44⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe45⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe46⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe47⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe49⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe50⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe52⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe53⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe56⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe59⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe62⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe63⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe64⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe65⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe66⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe68⤵PID:1712
-
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe69⤵PID:1732
-
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe70⤵PID:1496
-
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe71⤵PID:2304
-
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe72⤵PID:2804
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe73⤵PID:2908
-
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe74⤵PID:2760
-
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe75⤵PID:2988
-
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe76⤵PID:2424
-
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe77⤵PID:988
-
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe78⤵PID:2692
-
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe79⤵PID:1956
-
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe80⤵PID:2180
-
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe81⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe82⤵PID:2228
-
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe83⤵PID:952
-
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe84⤵PID:2360
-
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe85⤵PID:624
-
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe87⤵PID:2332
-
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe88⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe89⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe91⤵PID:2640
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe92⤵PID:1872
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe93⤵PID:1964
-
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe94⤵PID:2480
-
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe95⤵PID:2148
-
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe96⤵PID:2208
-
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe97⤵PID:632
-
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe99⤵PID:1460
-
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe100⤵PID:2736
-
C:\Windows\SysWOW64\Kjkbpp32.exeC:\Windows\system32\Kjkbpp32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe102⤵PID:1120
-
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe103⤵PID:1448
-
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe104⤵PID:2408
-
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe105⤵PID:2580
-
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe106⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe107⤵PID:2192
-
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe108⤵PID:1980
-
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe109⤵PID:1736
-
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe110⤵PID:992
-
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe111⤵PID:2740
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe113⤵PID:3020
-
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe114⤵PID:804
-
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe115⤵PID:1976
-
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe116⤵PID:684
-
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe117⤵PID:3040
-
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe118⤵PID:2448
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe119⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe120⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe121⤵
- System Location Discovery: System Language Discovery
PID:1136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-