Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 01:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe
-
Size
120KB
-
MD5
5425b7e70c6a222509cbc91a28cc15b6
-
SHA1
a372e5a21b5a11ce861f99d62f105a84585b71e3
-
SHA256
a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f
-
SHA512
330547ab8fe371b1c4cdeb31a6f126f260455e9a6befc06eeee92c99cb76ae6fc68afcd4edd978d52f0a9cb739483e59d22afd203ca2d0ea38a4638605b237ae
-
SSDEEP
3072:3+Nnx50X9rnOiYx9es203H/6TC+qF1SsB1bw4AVRrd9:3+NUXNYxAs9C81NBy9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepehphc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdkgocpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afkdakjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdaheq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpbiommg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgpjlnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bajomhbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdehon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpejeihi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhgdkjol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nadpgggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Illgimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiommg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okanklik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadpgggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmgbdo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2692 Pfjbgnme.exe 2804 Pmdjdh32.exe 2780 Qbcpbo32.exe 2644 Qimhoi32.exe 1552 Anlmmp32.exe 2012 Aefeijle.exe 2176 Ahgnke32.exe 768 Aekodi32.exe 1716 Adpkee32.exe 2848 Bpgljfbl.exe 2244 Bafidiio.exe 2976 Biamilfj.exe 2416 Blbfjg32.exe 2424 Bifgdk32.exe 2984 Bbokmqie.exe 1532 Cadhnmnm.exe 2188 Cohigamf.exe 1924 Ceaadk32.exe 1600 Cojema32.exe 1944 Chbjffad.exe 552 Cgejac32.exe 3008 Cjfccn32.exe 1340 Dfmdho32.exe 884 Dcadac32.exe 2864 Dogefd32.exe 2812 Dbfabp32.exe 2240 Dlkepi32.exe 2636 Dhbfdjdp.exe 1588 Dnoomqbg.exe 2640 Dookgcij.exe 3052 Ednpej32.exe 3036 Ejkima32.exe 532 Ejmebq32.exe 1432 Efcfga32.exe 1856 Ejobhppq.exe 1524 Fjaonpnn.exe 1288 Fbmcbbki.exe 2980 Fekpnn32.exe 2768 Fiihdlpc.exe 1660 Fnfamcoj.exe 1308 Fadminnn.exe 1744 Fnhnbb32.exe 1960 Febfomdd.exe 1620 Fnkjhb32.exe 1784 Gpncej32.exe 1392 Gfhladfn.exe 2508 Gjdhbc32.exe 2096 Gdllkhdg.exe 2116 Glgaok32.exe 2856 Gbaileio.exe 2796 Gepehphc.exe 2700 Gpejeihi.exe 3048 Gbcfadgl.exe 2940 Ghqnjk32.exe 1932 Hhckpk32.exe 2408 Hakphqja.exe 756 Hhehek32.exe 1764 Hkcdafqb.exe 2492 Hmbpmapf.exe 2064 Hdlhjl32.exe 1384 Hhgdkjol.exe 2164 Hoamgd32.exe 328 Hpbiommg.exe 1156 Hgmalg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe 2316 a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe 2692 Pfjbgnme.exe 2692 Pfjbgnme.exe 2804 Pmdjdh32.exe 2804 Pmdjdh32.exe 2780 Qbcpbo32.exe 2780 Qbcpbo32.exe 2644 Qimhoi32.exe 2644 Qimhoi32.exe 1552 Anlmmp32.exe 1552 Anlmmp32.exe 2012 Aefeijle.exe 2012 Aefeijle.exe 2176 Ahgnke32.exe 2176 Ahgnke32.exe 768 Aekodi32.exe 768 Aekodi32.exe 1716 Adpkee32.exe 1716 Adpkee32.exe 2848 Bpgljfbl.exe 2848 Bpgljfbl.exe 2244 Bafidiio.exe 2244 Bafidiio.exe 2976 Biamilfj.exe 2976 Biamilfj.exe 2416 Blbfjg32.exe 2416 Blbfjg32.exe 2424 Bifgdk32.exe 2424 Bifgdk32.exe 2984 Bbokmqie.exe 2984 Bbokmqie.exe 1532 Cadhnmnm.exe 1532 Cadhnmnm.exe 2188 Cohigamf.exe 2188 Cohigamf.exe 1924 Ceaadk32.exe 1924 Ceaadk32.exe 1600 Cojema32.exe 1600 Cojema32.exe 1944 Chbjffad.exe 1944 Chbjffad.exe 552 Cgejac32.exe 552 Cgejac32.exe 3008 Cjfccn32.exe 3008 Cjfccn32.exe 1340 Dfmdho32.exe 1340 Dfmdho32.exe 884 Dcadac32.exe 884 Dcadac32.exe 2864 Dogefd32.exe 2864 Dogefd32.exe 2812 Dbfabp32.exe 2812 Dbfabp32.exe 2240 Dlkepi32.exe 2240 Dlkepi32.exe 2636 Dhbfdjdp.exe 2636 Dhbfdjdp.exe 1588 Dnoomqbg.exe 1588 Dnoomqbg.exe 2640 Dookgcij.exe 2640 Dookgcij.exe 3052 Ednpej32.exe 3052 Ednpej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aekodi32.exe Ahgnke32.exe File opened for modification C:\Windows\SysWOW64\Ceaadk32.exe Cohigamf.exe File created C:\Windows\SysWOW64\Hdlhjl32.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Lhpbmi32.dll Hiknhbcg.exe File created C:\Windows\SysWOW64\Pkdgpo32.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Qiladcdh.exe Qqeicede.exe File created C:\Windows\SysWOW64\Aeqabgoj.exe Afnagk32.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Dfmdho32.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Jjdmmdnh.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Jfoagoic.dll Jfknbe32.exe File created C:\Windows\SysWOW64\Ckpfcfnm.dll Cgpjlnhh.exe File opened for modification C:\Windows\SysWOW64\Ejmebq32.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Febfomdd.exe Fnhnbb32.exe File opened for modification C:\Windows\SysWOW64\Jdbkjn32.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Apalea32.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Nkpegi32.exe Ndemjoae.exe File created C:\Windows\SysWOW64\Pgpeal32.exe Pdaheq32.exe File created C:\Windows\SysWOW64\Pjpnbg32.exe Pcfefmnk.exe File created C:\Windows\SysWOW64\Dkqahbgm.dll Iapebchh.exe File created C:\Windows\SysWOW64\Jqlhdo32.exe Jgcdki32.exe File created C:\Windows\SysWOW64\Pmmani32.dll Amqccfed.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bpgljfbl.exe File created C:\Windows\SysWOW64\Habfipdj.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Oopfakpa.exe Oghopm32.exe File created C:\Windows\SysWOW64\Ngdfge32.dll Icjhagdp.exe File created C:\Windows\SysWOW64\Jnkpbcjg.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Mmihhelk.exe Mofglh32.exe File created C:\Windows\SysWOW64\Bbokmqie.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Lmgefl32.dll Hhckpk32.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe File created C:\Windows\SysWOW64\Fnkjhb32.exe Febfomdd.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Hgmalg32.exe Hpbiommg.exe File opened for modification C:\Windows\SysWOW64\Iipgcaob.exe Icfofg32.exe File created C:\Windows\SysWOW64\Badffggh.dll Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Kfpgmdog.exe Kofopj32.exe File created C:\Windows\SysWOW64\Lfbpag32.exe Laegiq32.exe File created C:\Windows\SysWOW64\Nlekia32.exe Ncmfqkdj.exe File created C:\Windows\SysWOW64\Pndpajgd.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Aeenochi.exe Aganeoip.exe File opened for modification C:\Windows\SysWOW64\Qbcpbo32.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Moidahcn.exe Mdcpdp32.exe File created C:\Windows\SysWOW64\Mfbnoibb.dll Odeiibdq.exe File opened for modification C:\Windows\SysWOW64\Qeohnd32.exe Pndpajgd.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dcadac32.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Ejmebq32.exe File created C:\Windows\SysWOW64\Hakphqja.exe Hhckpk32.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hdlhjl32.exe File opened for modification C:\Windows\SysWOW64\Oappcfmb.exe Odlojanh.exe File created C:\Windows\SysWOW64\Ghfnkn32.dll Gbcfadgl.exe File opened for modification C:\Windows\SysWOW64\Npojdpef.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Cmjbhh32.exe Cgpjlnhh.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Kmgbdo32.exe Kbbngf32.exe File opened for modification C:\Windows\SysWOW64\Lfbpag32.exe Laegiq32.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bdkgocpm.exe File created C:\Windows\SysWOW64\Ghqnjk32.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Kofopj32.exe Kmgbdo32.exe File created C:\Windows\SysWOW64\Lmikibio.exe Lfpclh32.exe File created C:\Windows\SysWOW64\Jhljdm32.exe Jnffgd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3448 3412 WerFault.exe 240 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndemjoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkgocpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhehek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmapm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbiommg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkolkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libicbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blbfjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaileio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopfakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biafnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcadac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklpekno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odeiibdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biojif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgcaob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichllgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffimglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cphndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biamilfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkepi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbiipml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndohedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbkjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkpbcjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgemplap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npojdpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oappcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgnke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekodi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdhbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcfadgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdehon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeenochi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdjdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafidiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapebchh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjfkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdaheq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhllob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aganeoip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbokmqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcbenjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilibi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmhkmki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqccfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fekpnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febfomdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepehphc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqahbgm.dll" Iapebchh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgpeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpgljfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" Cilibi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npojdpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgfqaiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oappcfmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimofi32.dll" Glgaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqlhdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kincipnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnhqe32.dll" Fekpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaheie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afiglkle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Iamimc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" Odeiibdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdp32.dll" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqjfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ackkppma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bphbeplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdkgocpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfmdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll" Laegiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjdhbc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2692 2316 a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe 30 PID 2316 wrote to memory of 2692 2316 a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe 30 PID 2316 wrote to memory of 2692 2316 a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe 30 PID 2316 wrote to memory of 2692 2316 a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe 30 PID 2692 wrote to memory of 2804 2692 Pfjbgnme.exe 31 PID 2692 wrote to memory of 2804 2692 Pfjbgnme.exe 31 PID 2692 wrote to memory of 2804 2692 Pfjbgnme.exe 31 PID 2692 wrote to memory of 2804 2692 Pfjbgnme.exe 31 PID 2804 wrote to memory of 2780 2804 Pmdjdh32.exe 32 PID 2804 wrote to memory of 2780 2804 Pmdjdh32.exe 32 PID 2804 wrote to memory of 2780 2804 Pmdjdh32.exe 32 PID 2804 wrote to memory of 2780 2804 Pmdjdh32.exe 32 PID 2780 wrote to memory of 2644 2780 Qbcpbo32.exe 33 PID 2780 wrote to memory of 2644 2780 Qbcpbo32.exe 33 PID 2780 wrote to memory of 2644 2780 Qbcpbo32.exe 33 PID 2780 wrote to memory of 2644 2780 Qbcpbo32.exe 33 PID 2644 wrote to memory of 1552 2644 Qimhoi32.exe 34 PID 2644 wrote to memory of 1552 2644 Qimhoi32.exe 34 PID 2644 wrote to memory of 1552 2644 Qimhoi32.exe 34 PID 2644 wrote to memory of 1552 2644 Qimhoi32.exe 34 PID 1552 wrote to memory of 2012 1552 Anlmmp32.exe 35 PID 1552 wrote to memory of 2012 1552 Anlmmp32.exe 35 PID 1552 wrote to memory of 2012 1552 Anlmmp32.exe 35 PID 1552 wrote to memory of 2012 1552 Anlmmp32.exe 35 PID 2012 wrote to memory of 2176 2012 Aefeijle.exe 36 PID 2012 wrote to memory of 2176 2012 Aefeijle.exe 36 PID 2012 wrote to memory of 2176 2012 Aefeijle.exe 36 PID 2012 wrote to memory of 2176 2012 Aefeijle.exe 36 PID 2176 wrote to memory of 768 2176 Ahgnke32.exe 37 PID 2176 wrote to memory of 768 2176 Ahgnke32.exe 37 PID 2176 wrote to memory of 768 2176 Ahgnke32.exe 37 PID 2176 wrote to memory of 768 2176 Ahgnke32.exe 37 PID 768 wrote to memory of 1716 768 Aekodi32.exe 38 PID 768 wrote to memory of 1716 768 Aekodi32.exe 38 PID 768 wrote to memory of 1716 768 Aekodi32.exe 38 PID 768 wrote to memory of 1716 768 Aekodi32.exe 38 PID 1716 wrote to memory of 2848 1716 Adpkee32.exe 39 PID 1716 wrote to memory of 2848 1716 Adpkee32.exe 39 PID 1716 wrote to memory of 2848 1716 Adpkee32.exe 39 PID 1716 wrote to memory of 2848 1716 Adpkee32.exe 39 PID 2848 wrote to memory of 2244 2848 Bpgljfbl.exe 40 PID 2848 wrote to memory of 2244 2848 Bpgljfbl.exe 40 PID 2848 wrote to memory of 2244 2848 Bpgljfbl.exe 40 PID 2848 wrote to memory of 2244 2848 Bpgljfbl.exe 40 PID 2244 wrote to memory of 2976 2244 Bafidiio.exe 41 PID 2244 wrote to memory of 2976 2244 Bafidiio.exe 41 PID 2244 wrote to memory of 2976 2244 Bafidiio.exe 41 PID 2244 wrote to memory of 2976 2244 Bafidiio.exe 41 PID 2976 wrote to memory of 2416 2976 Biamilfj.exe 42 PID 2976 wrote to memory of 2416 2976 Biamilfj.exe 42 PID 2976 wrote to memory of 2416 2976 Biamilfj.exe 42 PID 2976 wrote to memory of 2416 2976 Biamilfj.exe 42 PID 2416 wrote to memory of 2424 2416 Blbfjg32.exe 43 PID 2416 wrote to memory of 2424 2416 Blbfjg32.exe 43 PID 2416 wrote to memory of 2424 2416 Blbfjg32.exe 43 PID 2416 wrote to memory of 2424 2416 Blbfjg32.exe 43 PID 2424 wrote to memory of 2984 2424 Bifgdk32.exe 44 PID 2424 wrote to memory of 2984 2424 Bifgdk32.exe 44 PID 2424 wrote to memory of 2984 2424 Bifgdk32.exe 44 PID 2424 wrote to memory of 2984 2424 Bifgdk32.exe 44 PID 2984 wrote to memory of 1532 2984 Bbokmqie.exe 45 PID 2984 wrote to memory of 1532 2984 Bbokmqie.exe 45 PID 2984 wrote to memory of 1532 2984 Bbokmqie.exe 45 PID 2984 wrote to memory of 1532 2984 Bbokmqie.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe"C:\Users\Admin\AppData\Local\Temp\a690b8ce063e5a3c5396b76ebd921a607037886571d25734e6ff387b22d13c7f.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe35⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe36⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe38⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe40⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe41⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe45⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe46⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe49⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe55⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe59⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe63⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe65⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe67⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe68⤵PID:1752
-
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe71⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe72⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe73⤵PID:2664
-
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe74⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe75⤵PID:1860
-
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe76⤵PID:2448
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe77⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe79⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe82⤵PID:1756
-
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe83⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe84⤵PID:604
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe85⤵PID:336
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe86⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe91⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe94⤵PID:1152
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe95⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe96⤵PID:1888
-
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe97⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe102⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe103⤵PID:2144
-
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe104⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe105⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe106⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe108⤵PID:2172
-
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe109⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe110⤵PID:1760
-
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe111⤵PID:2868
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe112⤵PID:2840
-
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe113⤵PID:2428
-
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe115⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe116⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe117⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe118⤵PID:836
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe120⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-