Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
-
Size
72KB
-
MD5
1e96ab5de1314109e565e538bd67a7f0
-
SHA1
b8d5131d1b148c24086681ac47423c86a9ba910a
-
SHA256
f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5
-
SHA512
0669ffb4d06368ea1d689b63b52fe281bf47116a4f8eaabc331e17d4a7a3b59ac0c22d103726386ad6f3b0866a62c0a5cc3582843dfedf0e6c7adad1b1669066
-
SSDEEP
1536:qghvmf5GkNMww9e/u+dyfzQ8H01vy2qlg7GDCoQ:qrGk+wlurfH01vyV8GeoQ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgcbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bccmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgigil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonocmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnadkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inlkik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnheohcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbojmmp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 996 Elkmmodo.exe 2348 Eknmhk32.exe 1912 Eoiiijcc.exe 2796 Fhbnbpjc.exe 584 Fajbke32.exe 2712 Fhdjgoha.exe 2816 Fkbgckgd.exe 2640 Famope32.exe 3048 Fdkklp32.exe 2888 Fgigil32.exe 1756 Flfpabkp.exe 2880 Fdmhbplb.exe 1552 Ffodjh32.exe 3068 Fnflke32.exe 2192 Flhmfbim.exe 2556 Fgnadkic.exe 1144 Fjlmpfhg.exe 1480 Fmkilb32.exe 548 Goiehm32.exe 1576 Gbhbdi32.exe 2008 Gjojef32.exe 1540 Gmmfaa32.exe 1124 Golbnm32.exe 1800 Gbjojh32.exe 2960 Gdhkfd32.exe 1564 Gmpcgace.exe 2224 Gonocmbi.exe 2140 Gnaooi32.exe 2956 Ggicgopd.exe 2296 Gncldi32.exe 2700 Gqahqd32.exe 2924 Gkglnm32.exe 2716 Gbadjg32.exe 3036 Gepafc32.exe 1956 Ggnmbn32.exe 2664 Hnheohcl.exe 1620 Hqfaldbo.exe 1288 Hgpjhn32.exe 2168 Hmmbqegc.exe 1764 Hpkompgg.exe 2236 Hfegij32.exe 2400 Hidcef32.exe 1128 Hcigco32.exe 2028 Hblgnkdh.exe 880 Hifpke32.exe 956 Hldlga32.exe 1772 Hcldhnkk.exe 316 Hemqpf32.exe 1484 Hmdhad32.exe 2112 Hpbdmo32.exe 2276 Hneeilgj.exe 2868 Hbaaik32.exe 2840 Iflmjihl.exe 2832 Ihniaa32.exe 1908 Iliebpfc.exe 1712 Inhanl32.exe 2552 Iafnjg32.exe 2776 Ieajkfmd.exe 1252 Ihpfgalh.exe 2252 Illbhp32.exe 2052 Injndk32.exe 1264 Iahkpg32.exe 1028 Idgglb32.exe 1676 Ilnomp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe 2148 f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe 996 Elkmmodo.exe 996 Elkmmodo.exe 2348 Eknmhk32.exe 2348 Eknmhk32.exe 1912 Eoiiijcc.exe 1912 Eoiiijcc.exe 2796 Fhbnbpjc.exe 2796 Fhbnbpjc.exe 584 Fajbke32.exe 584 Fajbke32.exe 2712 Fhdjgoha.exe 2712 Fhdjgoha.exe 2816 Fkbgckgd.exe 2816 Fkbgckgd.exe 2640 Famope32.exe 2640 Famope32.exe 3048 Fdkklp32.exe 3048 Fdkklp32.exe 2888 Fgigil32.exe 2888 Fgigil32.exe 1756 Flfpabkp.exe 1756 Flfpabkp.exe 2880 Fdmhbplb.exe 2880 Fdmhbplb.exe 1552 Ffodjh32.exe 1552 Ffodjh32.exe 3068 Fnflke32.exe 3068 Fnflke32.exe 2192 Flhmfbim.exe 2192 Flhmfbim.exe 2556 Fgnadkic.exe 2556 Fgnadkic.exe 1144 Fjlmpfhg.exe 1144 Fjlmpfhg.exe 1480 Fmkilb32.exe 1480 Fmkilb32.exe 548 Goiehm32.exe 548 Goiehm32.exe 1576 Gbhbdi32.exe 1576 Gbhbdi32.exe 2008 Gjojef32.exe 2008 Gjojef32.exe 1540 Gmmfaa32.exe 1540 Gmmfaa32.exe 1124 Golbnm32.exe 1124 Golbnm32.exe 1800 Gbjojh32.exe 1800 Gbjojh32.exe 2960 Gdhkfd32.exe 2960 Gdhkfd32.exe 1564 Gmpcgace.exe 1564 Gmpcgace.exe 2224 Gonocmbi.exe 2224 Gonocmbi.exe 2140 Gnaooi32.exe 2140 Gnaooi32.exe 2956 Ggicgopd.exe 2956 Ggicgopd.exe 2296 Gncldi32.exe 2296 Gncldi32.exe 2700 Gqahqd32.exe 2700 Gqahqd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgnadkic.exe Flhmfbim.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Qkdhopfa.dll Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Cpehmcmg.dll Jioopgef.exe File created C:\Windows\SysWOW64\Qdncmgbj.exe Qlgkki32.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Aoagccfn.exe File created C:\Windows\SysWOW64\Gnaooi32.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Ihniaa32.exe Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Lcjlnpmo.exe Kpkpadnl.exe File opened for modification C:\Windows\SysWOW64\Phnpagdp.exe Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Nfcakjoj.dll Nibqqh32.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Objaha32.exe File opened for modification C:\Windows\SysWOW64\Olbfagca.exe Oidiekdn.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Oiffkkbk.exe File created C:\Windows\SysWOW64\Danpemej.exe Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Kocmim32.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jioopgef.exe File created C:\Windows\SysWOW64\Knfndjdp.exe Kocmim32.exe File created C:\Windows\SysWOW64\Okhdnm32.dll Odedge32.exe File opened for modification C:\Windows\SysWOW64\Idgglb32.exe Iahkpg32.exe File created C:\Windows\SysWOW64\Bqlfaj32.exe Bieopm32.exe File created C:\Windows\SysWOW64\Eoobfoke.dll Adlcfjgh.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hpkompgg.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mfjann32.exe File created C:\Windows\SysWOW64\Ngealejo.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Khdecggq.dll Nhlgmd32.exe File created C:\Windows\SysWOW64\Dkodahqi.dll Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Pidfdofi.exe Pkaehb32.exe File created C:\Windows\SysWOW64\Lgnebokc.dll Kpdjaecc.exe File opened for modification C:\Windows\SysWOW64\Mjcaimgg.exe Mgedmb32.exe File opened for modification C:\Windows\SysWOW64\Pkcbnanl.exe Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Ebmjlg32.dll Idgglb32.exe File created C:\Windows\SysWOW64\Pkaehb32.exe Phcilf32.exe File created C:\Windows\SysWOW64\Afffenbp.exe Aakjdo32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Gmpcgace.exe File opened for modification C:\Windows\SysWOW64\Jpbalb32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Edeomgho.dll Nnmlcp32.exe File created C:\Windows\SysWOW64\Lgfeei32.dll Jlphbbbg.exe File created C:\Windows\SysWOW64\Kcgphp32.exe Kddomchg.exe File opened for modification C:\Windows\SysWOW64\Abpcooea.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Jjmeignj.dll Adnpkjde.exe File opened for modification C:\Windows\SysWOW64\Djdgic32.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ifgpnmom.exe File created C:\Windows\SysWOW64\Kccllg32.dll Ljfapjbi.exe File created C:\Windows\SysWOW64\Ojomdoof.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cocphf32.exe File created C:\Windows\SysWOW64\Kjoahnho.dll Jampjian.exe File opened for modification C:\Windows\SysWOW64\Lgqkbb32.exe Ldbofgme.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nbjeinje.exe File created C:\Windows\SysWOW64\Phlclgfc.exe Piicpk32.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pkaehb32.exe File created C:\Windows\SysWOW64\Afdiondb.exe Aaimopli.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Hldlga32.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Iahkpg32.exe File opened for modification C:\Windows\SysWOW64\Jikeeh32.exe Jfliim32.exe File created C:\Windows\SysWOW64\Jlkngc32.exe Jimbkh32.exe File created C:\Windows\SysWOW64\Llbqfe32.exe Lhfefgkg.exe File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe Nenkqi32.exe File created C:\Windows\SysWOW64\Lfmlmhlo.dll Lhfefgkg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4524 4444 WerFault.exe 361 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfaldbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlphbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phcilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqipkhbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgabdlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbhbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiffkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoagccfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaafojo.dll" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppllabf.dll" Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiebopf.dll" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcighi32.dll" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Allefimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgph32.dll" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhiaka32.dll" Gepafc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchfle32.dll" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpehmcmg.dll" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajfhi32.dll" Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefhdnca.dll" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefdckem.dll" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnaooi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knfndjdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 996 2148 f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe 30 PID 2148 wrote to memory of 996 2148 f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe 30 PID 2148 wrote to memory of 996 2148 f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe 30 PID 2148 wrote to memory of 996 2148 f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe 30 PID 996 wrote to memory of 2348 996 Elkmmodo.exe 31 PID 996 wrote to memory of 2348 996 Elkmmodo.exe 31 PID 996 wrote to memory of 2348 996 Elkmmodo.exe 31 PID 996 wrote to memory of 2348 996 Elkmmodo.exe 31 PID 2348 wrote to memory of 1912 2348 Eknmhk32.exe 32 PID 2348 wrote to memory of 1912 2348 Eknmhk32.exe 32 PID 2348 wrote to memory of 1912 2348 Eknmhk32.exe 32 PID 2348 wrote to memory of 1912 2348 Eknmhk32.exe 32 PID 1912 wrote to memory of 2796 1912 Eoiiijcc.exe 33 PID 1912 wrote to memory of 2796 1912 Eoiiijcc.exe 33 PID 1912 wrote to memory of 2796 1912 Eoiiijcc.exe 33 PID 1912 wrote to memory of 2796 1912 Eoiiijcc.exe 33 PID 2796 wrote to memory of 584 2796 Fhbnbpjc.exe 34 PID 2796 wrote to memory of 584 2796 Fhbnbpjc.exe 34 PID 2796 wrote to memory of 584 2796 Fhbnbpjc.exe 34 PID 2796 wrote to memory of 584 2796 Fhbnbpjc.exe 34 PID 584 wrote to memory of 2712 584 Fajbke32.exe 35 PID 584 wrote to memory of 2712 584 Fajbke32.exe 35 PID 584 wrote to memory of 2712 584 Fajbke32.exe 35 PID 584 wrote to memory of 2712 584 Fajbke32.exe 35 PID 2712 wrote to memory of 2816 2712 Fhdjgoha.exe 36 PID 2712 wrote to memory of 2816 2712 Fhdjgoha.exe 36 PID 2712 wrote to memory of 2816 2712 Fhdjgoha.exe 36 PID 2712 wrote to memory of 2816 2712 Fhdjgoha.exe 36 PID 2816 wrote to memory of 2640 2816 Fkbgckgd.exe 37 PID 2816 wrote to memory of 2640 2816 Fkbgckgd.exe 37 PID 2816 wrote to memory of 2640 2816 Fkbgckgd.exe 37 PID 2816 wrote to memory of 2640 2816 Fkbgckgd.exe 37 PID 2640 wrote to memory of 3048 2640 Famope32.exe 38 PID 2640 wrote to memory of 3048 2640 Famope32.exe 38 PID 2640 wrote to memory of 3048 2640 Famope32.exe 38 PID 2640 wrote to memory of 3048 2640 Famope32.exe 38 PID 3048 wrote to memory of 2888 3048 Fdkklp32.exe 39 PID 3048 wrote to memory of 2888 3048 Fdkklp32.exe 39 PID 3048 wrote to memory of 2888 3048 Fdkklp32.exe 39 PID 3048 wrote to memory of 2888 3048 Fdkklp32.exe 39 PID 2888 wrote to memory of 1756 2888 Fgigil32.exe 40 PID 2888 wrote to memory of 1756 2888 Fgigil32.exe 40 PID 2888 wrote to memory of 1756 2888 Fgigil32.exe 40 PID 2888 wrote to memory of 1756 2888 Fgigil32.exe 40 PID 1756 wrote to memory of 2880 1756 Flfpabkp.exe 41 PID 1756 wrote to memory of 2880 1756 Flfpabkp.exe 41 PID 1756 wrote to memory of 2880 1756 Flfpabkp.exe 41 PID 1756 wrote to memory of 2880 1756 Flfpabkp.exe 41 PID 2880 wrote to memory of 1552 2880 Fdmhbplb.exe 42 PID 2880 wrote to memory of 1552 2880 Fdmhbplb.exe 42 PID 2880 wrote to memory of 1552 2880 Fdmhbplb.exe 42 PID 2880 wrote to memory of 1552 2880 Fdmhbplb.exe 42 PID 1552 wrote to memory of 3068 1552 Ffodjh32.exe 43 PID 1552 wrote to memory of 3068 1552 Ffodjh32.exe 43 PID 1552 wrote to memory of 3068 1552 Ffodjh32.exe 43 PID 1552 wrote to memory of 3068 1552 Ffodjh32.exe 43 PID 3068 wrote to memory of 2192 3068 Fnflke32.exe 44 PID 3068 wrote to memory of 2192 3068 Fnflke32.exe 44 PID 3068 wrote to memory of 2192 3068 Fnflke32.exe 44 PID 3068 wrote to memory of 2192 3068 Fnflke32.exe 44 PID 2192 wrote to memory of 2556 2192 Flhmfbim.exe 45 PID 2192 wrote to memory of 2556 2192 Flhmfbim.exe 45 PID 2192 wrote to memory of 2556 2192 Flhmfbim.exe 45 PID 2192 wrote to memory of 2556 2192 Flhmfbim.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe"C:\Users\Admin\AppData\Local\Temp\f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe36⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe39⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe40⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe42⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe43⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe46⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe49⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe51⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe52⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe56⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe57⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe58⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe59⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe60⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe61⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe62⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe65⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe66⤵PID:1260
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe68⤵PID:2460
-
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe69⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe70⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe71⤵PID:2748
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe72⤵PID:2272
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe73⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe74⤵PID:3040
-
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe75⤵PID:2464
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe77⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe78⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe82⤵PID:1616
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe83⤵PID:1680
-
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe84⤵PID:1776
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe85⤵PID:2056
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe86⤵PID:2820
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe87⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe88⤵PID:2644
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe90⤵PID:2468
-
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe92⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe94⤵PID:616
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe96⤵PID:1248
-
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe97⤵PID:2512
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe101⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe102⤵PID:1604
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe103⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe104⤵PID:3012
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe105⤵PID:2204
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe106⤵PID:908
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe107⤵
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe108⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe111⤵PID:2728
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe112⤵PID:2900
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe113⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe115⤵PID:2448
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe116⤵PID:1032
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe117⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe118⤵PID:2356
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe120⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe121⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-