Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 19:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe
-
Size
217KB
-
MD5
f8362595b7347db803388e0c4405dffb
-
SHA1
00e535bd566acb7c220dd1bdc339616124a02260
-
SHA256
15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c
-
SHA512
a581609c044917bef8fedf4997d8cb047e5c804cab10a53037769a739531a4c48daaee8599e6c69f7fe87451ec1d56c2742c0ef78eae501f4d50753ad2490144
-
SSDEEP
3072:EpjFM9rvwoRCRDUY0pB37eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVD:EpjGvwoEBypB37dZMGXF5ahdt3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinolcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpgnfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcppbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghmokomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iegjnkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aghidl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgfcbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhklibbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjqdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilbknd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmpmcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlajdpoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clcghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cignlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhhagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfippego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cijmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjonlee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmgdpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beqogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koifob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cablfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppogahko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfdcckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggqfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnjphpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbpioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cignlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koifob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbpioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaegha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkgnmqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doibhekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfdlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lblhep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Donlcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgmdbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcnihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbpffhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmnfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Namebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqeagpop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdafkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckgkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbllfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmiqlpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naqkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcgfcbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomghchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgjoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihdfkoe.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Egedebgc.exe 2132 Enajgllm.exe 2204 Fcqoec32.exe 2952 Fpgpjdnf.exe 2628 Fibqhibd.exe 3052 Flcjjdpe.exe 2028 Gdpkdf32.exe 2516 Gdchifik.exe 1280 Gmklbk32.exe 2700 Hjaiaolb.exe 1988 Hiffbl32.exe 388 Hbokkagk.exe 2992 Hbcdfq32.exe 2428 Hkoikcaq.exe 572 Iegjnkod.exe 1952 Inbobn32.exe 1724 Indkgm32.exe 288 Idqpjg32.exe 1500 Jojaje32.exe 1092 Jlnadiko.exe 612 Jlqniihl.exe 2476 Jbmgapgc.exe 2468 Jdnpck32.exe 3028 Jnfdlpje.exe 2472 Kdcinjpo.exe 2464 Lnhmqc32.exe 1604 Mpeidjfo.exe 2788 Napibq32.exe 2748 Nodikecl.exe 2684 Nkkjpf32.exe 2624 Nhojjjhj.exe 2144 Npjonlee.exe 3032 Omnpgqdo.exe 2092 Ocmdeg32.exe 2372 Oenngb32.exe 1996 Pnbeacbd.exe 2948 Pjiffd32.exe 640 Qbggqfca.exe 1504 Qcfdji32.exe 2304 Anpekggc.exe 2112 Aghidl32.exe 1172 Aaqnmbdd.exe 1668 Ajibeg32.exe 1516 Acafnm32.exe 1508 Aaegha32.exe 1968 Ajnlqgfo.exe 2088 Acfpilmp.exe 2540 Bajqcqli.exe 2560 Bjbelf32.exe 1572 Bbnjphpe.exe 2864 Bbpffhnb.exe 2792 Bhmonoli.exe 2920 Beqogc32.exe 2800 Cbdpag32.exe 1108 Chahin32.exe 2068 Cmnqae32.exe 1060 Chdeonfa.exe 524 Cpojcpcm.exe 2128 Cignlf32.exe 808 Cpafhpaj.exe 1588 Ckgkfi32.exe 2408 Cgnkkjgd.exe 1104 Dhadhakp.exe 1252 Diqabd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe 2120 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe 2900 Egedebgc.exe 2900 Egedebgc.exe 2132 Enajgllm.exe 2132 Enajgllm.exe 2204 Fcqoec32.exe 2204 Fcqoec32.exe 2952 Fpgpjdnf.exe 2952 Fpgpjdnf.exe 2628 Fibqhibd.exe 2628 Fibqhibd.exe 3052 Flcjjdpe.exe 3052 Flcjjdpe.exe 2028 Gdpkdf32.exe 2028 Gdpkdf32.exe 2516 Gdchifik.exe 2516 Gdchifik.exe 1280 Gmklbk32.exe 1280 Gmklbk32.exe 2700 Hjaiaolb.exe 2700 Hjaiaolb.exe 1988 Hiffbl32.exe 1988 Hiffbl32.exe 388 Hbokkagk.exe 388 Hbokkagk.exe 2992 Hbcdfq32.exe 2992 Hbcdfq32.exe 2428 Hkoikcaq.exe 2428 Hkoikcaq.exe 572 Iegjnkod.exe 572 Iegjnkod.exe 1952 Inbobn32.exe 1952 Inbobn32.exe 1724 Indkgm32.exe 1724 Indkgm32.exe 288 Idqpjg32.exe 288 Idqpjg32.exe 1500 Jojaje32.exe 1500 Jojaje32.exe 1092 Jlnadiko.exe 1092 Jlnadiko.exe 612 Jlqniihl.exe 612 Jlqniihl.exe 2476 Jbmgapgc.exe 2476 Jbmgapgc.exe 2468 Jdnpck32.exe 2468 Jdnpck32.exe 3028 Jnfdlpje.exe 3028 Jnfdlpje.exe 2472 Kdcinjpo.exe 2472 Kdcinjpo.exe 2464 Lnhmqc32.exe 2464 Lnhmqc32.exe 1604 Mpeidjfo.exe 1604 Mpeidjfo.exe 2788 Napibq32.exe 2788 Napibq32.exe 2748 Nodikecl.exe 2748 Nodikecl.exe 2684 Nkkjpf32.exe 2684 Nkkjpf32.exe 2624 Nhojjjhj.exe 2624 Nhojjjhj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjlhcegl.exe Hadckp32.exe File created C:\Windows\SysWOW64\Pdempk32.dll Jnogakma.exe File created C:\Windows\SysWOW64\Nfbmnpfh.exe Nphdaeol.exe File created C:\Windows\SysWOW64\Doijkg32.dll Pmlajm32.exe File opened for modification C:\Windows\SysWOW64\Fmlblq32.exe Fqeagpop.exe File created C:\Windows\SysWOW64\Aiclffeg.dll Higikdhn.exe File created C:\Windows\SysWOW64\Donlcdgn.exe Dajkjphd.exe File created C:\Windows\SysWOW64\Cfioha32.dll Nhojjjhj.exe File opened for modification C:\Windows\SysWOW64\Hioefjfb.exe Hacabgig.exe File opened for modification C:\Windows\SysWOW64\Mnhbep32.exe Madbll32.exe File created C:\Windows\SysWOW64\Obhdpaqm.exe Niopgljl.exe File created C:\Windows\SysWOW64\Icdllk32.exe Hjlhcegl.exe File created C:\Windows\SysWOW64\Gdpkdf32.exe Flcjjdpe.exe File opened for modification C:\Windows\SysWOW64\Aaegha32.exe Acafnm32.exe File opened for modification C:\Windows\SysWOW64\Dhadhakp.exe Cgnkkjgd.exe File opened for modification C:\Windows\SysWOW64\Eehpoaaf.exe Epkhfkco.exe File created C:\Windows\SysWOW64\Kolcdahb.exe Koifob32.exe File created C:\Windows\SysWOW64\Dkcgae32.dll Dmbpaa32.exe File opened for modification C:\Windows\SysWOW64\Ellfmm32.exe Eebnqcjl.exe File opened for modification C:\Windows\SysWOW64\Beqogc32.exe Bhmonoli.exe File opened for modification C:\Windows\SysWOW64\Hjglpncm.exe Hjeojnep.exe File created C:\Windows\SysWOW64\Dmebncpa.dll Lqdfmihh.exe File created C:\Windows\SysWOW64\Kbebkmci.dll Ipnigl32.exe File created C:\Windows\SysWOW64\Fcqoec32.exe Enajgllm.exe File created C:\Windows\SysWOW64\Gqpofe32.dll Fmlblq32.exe File opened for modification C:\Windows\SysWOW64\Higikdhn.exe Haldgbkc.exe File created C:\Windows\SysWOW64\Pcmqnddq.dll Dlajdpoc.exe File created C:\Windows\SysWOW64\Npgknf32.exe Nbckeb32.exe File created C:\Windows\SysWOW64\Phoijjdk.dll Fffckf32.exe File created C:\Windows\SysWOW64\Jndhcn32.dll Godjaj32.exe File created C:\Windows\SysWOW64\Kgfblqne.dll Fibqhibd.exe File opened for modification C:\Windows\SysWOW64\Jlnadiko.exe Jojaje32.exe File created C:\Windows\SysWOW64\Okcnpf32.dll Jojaje32.exe File created C:\Windows\SysWOW64\Fhpoalho.exe Fogkhf32.exe File created C:\Windows\SysWOW64\Annhoa32.dll Gbecce32.exe File created C:\Windows\SysWOW64\Niopgljl.exe Npgknf32.exe File opened for modification C:\Windows\SysWOW64\Dfaachpa.exe Depelp32.exe File created C:\Windows\SysWOW64\Mlgabfoe.dll Akfdcckn.exe File created C:\Windows\SysWOW64\Namebk32.exe Nfgadbcc.exe File created C:\Windows\SysWOW64\Doclijgd.exe Dmbpaa32.exe File created C:\Windows\SysWOW64\Gknlbd32.dll Doclijgd.exe File opened for modification C:\Windows\SysWOW64\Fjpbeecn.exe Fmlblq32.exe File opened for modification C:\Windows\SysWOW64\Iopqoi32.exe Ijahik32.exe File created C:\Windows\SysWOW64\Hkoikcaq.exe Hbcdfq32.exe File created C:\Windows\SysWOW64\Gaahmd32.exe Gcmgdpid.exe File created C:\Windows\SysWOW64\Eqonma32.dll Iiflgi32.exe File opened for modification C:\Windows\SysWOW64\Janijh32.exe Jibdff32.exe File opened for modification C:\Windows\SysWOW64\Nnghjm32.exe Nhmpmcaq.exe File opened for modification C:\Windows\SysWOW64\Omnapi32.exe Ndfmgdeb.exe File created C:\Windows\SysWOW64\Babpgo32.exe Begegn32.exe File created C:\Windows\SysWOW64\Jhhagb32.exe Janijh32.exe File created C:\Windows\SysWOW64\Nnghjm32.exe Nhmpmcaq.exe File created C:\Windows\SysWOW64\Hojebk32.dll Ndfmgdeb.exe File opened for modification C:\Windows\SysWOW64\Aomghchl.exe Qcgfcbbh.exe File opened for modification C:\Windows\SysWOW64\Fcqoec32.exe Enajgllm.exe File opened for modification C:\Windows\SysWOW64\Nbckeb32.exe Nmfblk32.exe File created C:\Windows\SysWOW64\Jeckce32.dll Npgknf32.exe File created C:\Windows\SysWOW64\Eiocdand.exe Epfnkk32.exe File created C:\Windows\SysWOW64\Eljihn32.exe Eepakc32.exe File opened for modification C:\Windows\SysWOW64\Inkgdjqn.exe Hinolcbf.exe File opened for modification C:\Windows\SysWOW64\Godjaj32.exe Gcnjmi32.exe File created C:\Windows\SysWOW64\Menfkp32.dll Bhmonoli.exe File created C:\Windows\SysWOW64\Lblhep32.exe Liddljan.exe File created C:\Windows\SysWOW64\Mddigg32.dll Gjpodhfi.exe -
Program crash 1 IoCs
pid pid_target Process 3440 2960 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgmdbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madbll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjcgccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkhfkco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnlqgfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolcdahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfedobef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbqei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeidjfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnogakma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqfiqjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiflgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknnoppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijahik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfaachpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbacdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacabgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfeidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomghchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbigfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnifia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogkhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnadiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqcqli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgfcbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjmlgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmgdpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlajm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioefjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koifob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpecad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihdfkoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqoafkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajkjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egedebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcnihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeenfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkoikcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaqnmbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfajgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcbmend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnpgqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnjphpe.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfippego.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmnnomnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epchbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaqnmbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaqnmbdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jknnoppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jknnoppp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdflepqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlhcegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcqoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbggqfca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbpioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmkgqncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egedebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiieqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liddljan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knlpphnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmlekj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbkmcmd.dll" Kqaigijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmolll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mljgcmce.dll" Aqfiqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbcdfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbckeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clcghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojebk32.dll" Ndfmgdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajnnipnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbacdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajibeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmjehe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqkdenfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpojcpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejambd32.dll" Mihngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibfqd32.dll" Daibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijhji32.dll" Oigokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgmdbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijahik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhhagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbgkjec.dll" Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmklbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjpodhfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aomghchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbgjoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbahhfig.dll" Ajibeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqjenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcklmdqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oenngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijjbb32.dll" Bgmagh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ellfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpnlgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiocdand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fogkhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmnqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmodd32.dll" Jhhagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andaoqjp.dll" Nmdfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhmpmcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fogkhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niopgljl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2900 2120 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe 29 PID 2120 wrote to memory of 2900 2120 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe 29 PID 2120 wrote to memory of 2900 2120 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe 29 PID 2120 wrote to memory of 2900 2120 15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe 29 PID 2900 wrote to memory of 2132 2900 Egedebgc.exe 30 PID 2900 wrote to memory of 2132 2900 Egedebgc.exe 30 PID 2900 wrote to memory of 2132 2900 Egedebgc.exe 30 PID 2900 wrote to memory of 2132 2900 Egedebgc.exe 30 PID 2132 wrote to memory of 2204 2132 Enajgllm.exe 31 PID 2132 wrote to memory of 2204 2132 Enajgllm.exe 31 PID 2132 wrote to memory of 2204 2132 Enajgllm.exe 31 PID 2132 wrote to memory of 2204 2132 Enajgllm.exe 31 PID 2204 wrote to memory of 2952 2204 Fcqoec32.exe 32 PID 2204 wrote to memory of 2952 2204 Fcqoec32.exe 32 PID 2204 wrote to memory of 2952 2204 Fcqoec32.exe 32 PID 2204 wrote to memory of 2952 2204 Fcqoec32.exe 32 PID 2952 wrote to memory of 2628 2952 Fpgpjdnf.exe 33 PID 2952 wrote to memory of 2628 2952 Fpgpjdnf.exe 33 PID 2952 wrote to memory of 2628 2952 Fpgpjdnf.exe 33 PID 2952 wrote to memory of 2628 2952 Fpgpjdnf.exe 33 PID 2628 wrote to memory of 3052 2628 Fibqhibd.exe 34 PID 2628 wrote to memory of 3052 2628 Fibqhibd.exe 34 PID 2628 wrote to memory of 3052 2628 Fibqhibd.exe 34 PID 2628 wrote to memory of 3052 2628 Fibqhibd.exe 34 PID 3052 wrote to memory of 2028 3052 Flcjjdpe.exe 35 PID 3052 wrote to memory of 2028 3052 Flcjjdpe.exe 35 PID 3052 wrote to memory of 2028 3052 Flcjjdpe.exe 35 PID 3052 wrote to memory of 2028 3052 Flcjjdpe.exe 35 PID 2028 wrote to memory of 2516 2028 Gdpkdf32.exe 36 PID 2028 wrote to memory of 2516 2028 Gdpkdf32.exe 36 PID 2028 wrote to memory of 2516 2028 Gdpkdf32.exe 36 PID 2028 wrote to memory of 2516 2028 Gdpkdf32.exe 36 PID 2516 wrote to memory of 1280 2516 Gdchifik.exe 37 PID 2516 wrote to memory of 1280 2516 Gdchifik.exe 37 PID 2516 wrote to memory of 1280 2516 Gdchifik.exe 37 PID 2516 wrote to memory of 1280 2516 Gdchifik.exe 37 PID 1280 wrote to memory of 2700 1280 Gmklbk32.exe 38 PID 1280 wrote to memory of 2700 1280 Gmklbk32.exe 38 PID 1280 wrote to memory of 2700 1280 Gmklbk32.exe 38 PID 1280 wrote to memory of 2700 1280 Gmklbk32.exe 38 PID 2700 wrote to memory of 1988 2700 Hjaiaolb.exe 39 PID 2700 wrote to memory of 1988 2700 Hjaiaolb.exe 39 PID 2700 wrote to memory of 1988 2700 Hjaiaolb.exe 39 PID 2700 wrote to memory of 1988 2700 Hjaiaolb.exe 39 PID 1988 wrote to memory of 388 1988 Hiffbl32.exe 40 PID 1988 wrote to memory of 388 1988 Hiffbl32.exe 40 PID 1988 wrote to memory of 388 1988 Hiffbl32.exe 40 PID 1988 wrote to memory of 388 1988 Hiffbl32.exe 40 PID 388 wrote to memory of 2992 388 Hbokkagk.exe 41 PID 388 wrote to memory of 2992 388 Hbokkagk.exe 41 PID 388 wrote to memory of 2992 388 Hbokkagk.exe 41 PID 388 wrote to memory of 2992 388 Hbokkagk.exe 41 PID 2992 wrote to memory of 2428 2992 Hbcdfq32.exe 42 PID 2992 wrote to memory of 2428 2992 Hbcdfq32.exe 42 PID 2992 wrote to memory of 2428 2992 Hbcdfq32.exe 42 PID 2992 wrote to memory of 2428 2992 Hbcdfq32.exe 42 PID 2428 wrote to memory of 572 2428 Hkoikcaq.exe 43 PID 2428 wrote to memory of 572 2428 Hkoikcaq.exe 43 PID 2428 wrote to memory of 572 2428 Hkoikcaq.exe 43 PID 2428 wrote to memory of 572 2428 Hkoikcaq.exe 43 PID 572 wrote to memory of 1952 572 Iegjnkod.exe 44 PID 572 wrote to memory of 1952 572 Iegjnkod.exe 44 PID 572 wrote to memory of 1952 572 Iegjnkod.exe 44 PID 572 wrote to memory of 1952 572 Iegjnkod.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe"C:\Users\Admin\AppData\Local\Temp\15ea1e9af7ab072939c0dcfe96abb93af75a0a587e2179d7cc458c0756f8159c.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Egedebgc.exeC:\Windows\system32\Egedebgc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Enajgllm.exeC:\Windows\system32\Enajgllm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Fpgpjdnf.exeC:\Windows\system32\Fpgpjdnf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Fibqhibd.exeC:\Windows\system32\Fibqhibd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Gdchifik.exeC:\Windows\system32\Gdchifik.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Gmklbk32.exeC:\Windows\system32\Gmklbk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Hjaiaolb.exeC:\Windows\system32\Hjaiaolb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Hbcdfq32.exeC:\Windows\system32\Hbcdfq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Hkoikcaq.exeC:\Windows\system32\Hkoikcaq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Iegjnkod.exeC:\Windows\system32\Iegjnkod.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Inbobn32.exeC:\Windows\system32\Inbobn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Indkgm32.exeC:\Windows\system32\Indkgm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Idqpjg32.exeC:\Windows\system32\Idqpjg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Jojaje32.exeC:\Windows\system32\Jojaje32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Jlnadiko.exeC:\Windows\system32\Jlnadiko.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Jlqniihl.exeC:\Windows\system32\Jlqniihl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Jbmgapgc.exeC:\Windows\system32\Jbmgapgc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Jdnpck32.exeC:\Windows\system32\Jdnpck32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Jnfdlpje.exeC:\Windows\system32\Jnfdlpje.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Kdcinjpo.exeC:\Windows\system32\Kdcinjpo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Lnhmqc32.exeC:\Windows\system32\Lnhmqc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Mpeidjfo.exeC:\Windows\system32\Mpeidjfo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Napibq32.exeC:\Windows\system32\Napibq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Nodikecl.exeC:\Windows\system32\Nodikecl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Nkkjpf32.exeC:\Windows\system32\Nkkjpf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Npjonlee.exeC:\Windows\system32\Npjonlee.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Omnpgqdo.exeC:\Windows\system32\Omnpgqdo.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Ocmdeg32.exeC:\Windows\system32\Ocmdeg32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Oenngb32.exeC:\Windows\system32\Oenngb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Pnbeacbd.exeC:\Windows\system32\Pnbeacbd.exe37⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Pjiffd32.exeC:\Windows\system32\Pjiffd32.exe38⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Qbggqfca.exeC:\Windows\system32\Qbggqfca.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Qcfdji32.exeC:\Windows\system32\Qcfdji32.exe40⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Anpekggc.exeC:\Windows\system32\Anpekggc.exe41⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Aghidl32.exeC:\Windows\system32\Aghidl32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Aaqnmbdd.exeC:\Windows\system32\Aaqnmbdd.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Ajibeg32.exeC:\Windows\system32\Ajibeg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Acafnm32.exeC:\Windows\system32\Acafnm32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Aaegha32.exeC:\Windows\system32\Aaegha32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ajnlqgfo.exeC:\Windows\system32\Ajnlqgfo.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Acfpilmp.exeC:\Windows\system32\Acfpilmp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Bajqcqli.exeC:\Windows\system32\Bajqcqli.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Bjbelf32.exeC:\Windows\system32\Bjbelf32.exe50⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Bbnjphpe.exeC:\Windows\system32\Bbnjphpe.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Bbpffhnb.exeC:\Windows\system32\Bbpffhnb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bhmonoli.exeC:\Windows\system32\Bhmonoli.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Beqogc32.exeC:\Windows\system32\Beqogc32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Cbdpag32.exeC:\Windows\system32\Cbdpag32.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Chahin32.exeC:\Windows\system32\Chahin32.exe56⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cmnqae32.exeC:\Windows\system32\Cmnqae32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Chdeonfa.exeC:\Windows\system32\Chdeonfa.exe58⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Cpojcpcm.exeC:\Windows\system32\Cpojcpcm.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Cignlf32.exeC:\Windows\system32\Cignlf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Cpafhpaj.exeC:\Windows\system32\Cpafhpaj.exe61⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ckgkfi32.exeC:\Windows\system32\Ckgkfi32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Cgnkkjgd.exeC:\Windows\system32\Cgnkkjgd.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Dhadhakp.exeC:\Windows\system32\Dhadhakp.exe64⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Diqabd32.exeC:\Windows\system32\Diqabd32.exe65⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Dkbnjmhq.exeC:\Windows\system32\Dkbnjmhq.exe66⤵PID:1540
-
C:\Windows\SysWOW64\Dlajdpoc.exeC:\Windows\system32\Dlajdpoc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Danblfmk.exeC:\Windows\system32\Danblfmk.exe68⤵PID:996
-
C:\Windows\SysWOW64\Dkggel32.exeC:\Windows\system32\Dkggel32.exe69⤵PID:3040
-
C:\Windows\SysWOW64\Daqoafkh.exeC:\Windows\system32\Daqoafkh.exe70⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Ekicjlai.exeC:\Windows\system32\Ekicjlai.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Epflbbpp.exeC:\Windows\system32\Epflbbpp.exe72⤵PID:2328
-
C:\Windows\SysWOW64\Enjmlgoj.exeC:\Windows\system32\Enjmlgoj.exe73⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Ecfednma.exeC:\Windows\system32\Ecfednma.exe74⤵PID:2236
-
C:\Windows\SysWOW64\Eqjenb32.exeC:\Windows\system32\Eqjenb32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Efgnfi32.exeC:\Windows\system32\Efgnfi32.exe76⤵PID:1744
-
C:\Windows\SysWOW64\Eqmbca32.exeC:\Windows\system32\Eqmbca32.exe77⤵PID:552
-
C:\Windows\SysWOW64\Fnleqj32.exeC:\Windows\system32\Fnleqj32.exe78⤵PID:2228
-
C:\Windows\SysWOW64\Ggfgoo32.exeC:\Windows\system32\Ggfgoo32.exe79⤵PID:2104
-
C:\Windows\SysWOW64\Gcmgdpid.exeC:\Windows\system32\Gcmgdpid.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Gaahmd32.exeC:\Windows\system32\Gaahmd32.exe81⤵PID:824
-
C:\Windows\SysWOW64\Glkinb32.exeC:\Windows\system32\Glkinb32.exe82⤵PID:456
-
C:\Windows\SysWOW64\Gmjehe32.exeC:\Windows\system32\Gmjehe32.exe83⤵
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Gefjlg32.exeC:\Windows\system32\Gefjlg32.exe84⤵PID:2332
-
C:\Windows\SysWOW64\Hiccbfoa.exeC:\Windows\system32\Hiccbfoa.exe85⤵PID:2000
-
C:\Windows\SysWOW64\Hjeojnep.exeC:\Windows\system32\Hjeojnep.exe86⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Hjglpncm.exeC:\Windows\system32\Hjglpncm.exe87⤵PID:2832
-
C:\Windows\SysWOW64\Hhklibbf.exeC:\Windows\system32\Hhklibbf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Hacabgig.exeC:\Windows\system32\Hacabgig.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Hioefjfb.exeC:\Windows\system32\Hioefjfb.exe90⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Hbgjoo32.exeC:\Windows\system32\Hbgjoo32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Ilpohecc.exeC:\Windows\system32\Ilpohecc.exe92⤵PID:2928
-
C:\Windows\SysWOW64\Ilbknd32.exeC:\Windows\system32\Ilbknd32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Iiflgi32.exeC:\Windows\system32\Iiflgi32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Iaaqkkme.exeC:\Windows\system32\Iaaqkkme.exe95⤵PID:2436
-
C:\Windows\SysWOW64\Ilfeidmk.exeC:\Windows\system32\Ilfeidmk.exe96⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Ibqmen32.exeC:\Windows\system32\Ibqmen32.exe97⤵PID:924
-
C:\Windows\SysWOW64\Iklajp32.exeC:\Windows\system32\Iklajp32.exe98⤵PID:2344
-
C:\Windows\SysWOW64\Jknnoppp.exeC:\Windows\system32\Jknnoppp.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Jgeoda32.exeC:\Windows\system32\Jgeoda32.exe100⤵PID:2776
-
C:\Windows\SysWOW64\Jnogakma.exeC:\Windows\system32\Jnogakma.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Jkbhjo32.exeC:\Windows\system32\Jkbhjo32.exe102⤵PID:2680
-
C:\Windows\SysWOW64\Jpppbf32.exeC:\Windows\system32\Jpppbf32.exe103⤵PID:584
-
C:\Windows\SysWOW64\Jjheklqc.exeC:\Windows\system32\Jjheklqc.exe104⤵PID:972
-
C:\Windows\SysWOW64\Jgleep32.exeC:\Windows\system32\Jgleep32.exe105⤵PID:976
-
C:\Windows\SysWOW64\Klinmg32.exeC:\Windows\system32\Klinmg32.exe106⤵PID:2268
-
C:\Windows\SysWOW64\Kjmnfk32.exeC:\Windows\system32\Kjmnfk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Koifob32.exeC:\Windows\system32\Koifob32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Kolcdahb.exeC:\Windows\system32\Kolcdahb.exe109⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Kdhlmhgj.exeC:\Windows\system32\Kdhlmhgj.exe110⤵PID:2492
-
C:\Windows\SysWOW64\Kbllfmfc.exeC:\Windows\system32\Kbllfmfc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Kgienc32.exeC:\Windows\system32\Kgienc32.exe112⤵PID:2220
-
C:\Windows\SysWOW64\Kqaigijk.exeC:\Windows\system32\Kqaigijk.exe113⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Lkgmdbja.exeC:\Windows\system32\Lkgmdbja.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Lqdfmihh.exeC:\Windows\system32\Lqdfmihh.exe115⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Lnhffm32.exeC:\Windows\system32\Lnhffm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Lfckko32.exeC:\Windows\system32\Lfckko32.exe117⤵PID:2924
-
C:\Windows\SysWOW64\Lokpcekn.exeC:\Windows\system32\Lokpcekn.exe118⤵PID:2108
-
C:\Windows\SysWOW64\Liddljan.exeC:\Windows\system32\Liddljan.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Lblhep32.exeC:\Windows\system32\Lblhep32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Lkdmneoo.exeC:\Windows\system32\Lkdmneoo.exe121⤵PID:928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-