Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 07:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa81f2b20a103e7fa901931be8b9b4a0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
aa81f2b20a103e7fa901931be8b9b4a0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
aa81f2b20a103e7fa901931be8b9b4a0N.exe
-
Size
352KB
-
MD5
aa81f2b20a103e7fa901931be8b9b4a0
-
SHA1
ae83b4a1dd167f1e3a39e36a7a79196e5bb71512
-
SHA256
d0dced9f244b3c6cc437a11684524b86c545850dc7b0b9e5b6a37e730c5dd69e
-
SHA512
acaa48a71e745aab982aba107c643dacdd42b87c5191b2559e1a29c7ff8388548616b23d7b4f81c0a50fd9ba4d22ffc7df631646a856a12afcde7befc06fbda0
-
SSDEEP
6144:++Z5ncEzbJ3hz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:+A5ncEHIsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoilcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mojmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnpfckmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcgmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nekbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffblb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhjdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpfmnmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeiekgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhmdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclolakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neohbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcaaahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okefjcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lceond32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdanngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphcgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckeno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfdnnlbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echpaecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjiffd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clecnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cboljemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkoadhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgghidfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meolcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpndkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagncl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcijmhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnaaljp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlbcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpkepnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdaoacif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgaaiian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodmdboj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkladpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdknfiea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hocmbjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinolcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafbid32.exe -
Executes dropped EXE 64 IoCs
pid Process 972 Oafjfokk.exe 2864 Ohcohh32.exe 2944 Pjfdpckc.exe 2724 Qpjchicb.exe 2636 Qhehmkqn.exe 1020 Apeflmjc.exe 1168 Bgfdjfkh.exe 2588 Bapejd32.exe 3024 Bnicddki.exe 3040 Cnmlpd32.exe 3016 Cnpieceq.exe 2840 Cjkcedgp.exe 1480 Dmllgo32.exe 2260 Dlfbck32.exe 2064 Ejmljg32.exe 2160 Eoanij32.exe 2448 Fljhmmci.exe 856 Fomndhng.exe 1528 Gaiijgbi.exe 1336 Hcfenn32.exe 1972 Ifgooikk.exe 1040 Ioapnn32.exe 2400 Iijdfc32.exe 1356 Jmqckf32.exe 1572 Jjdcdjcm.exe 2472 Jfkdik32.exe 2352 Jfpndkel.exe 2752 Keekeg32.exe 3068 Kopldl32.exe 2684 Kldlmqml.exe 2616 Ldangbhd.exe 1160 Linfpi32.exe 2072 Llalgdbj.exe 2140 Lggpdmap.exe 3008 Mognco32.exe 2956 Mkbhco32.exe 1832 Ncnmhajo.exe 324 Ngkfnp32.exe 2252 Ncbfcq32.exe 2088 Nkbdbbop.exe 2036 Odjikh32.exe 1484 Oemfahcn.exe 616 Oqcffi32.exe 1012 Ofqonp32.exe 3028 Oafclh32.exe 1920 Ojnhdn32.exe 1212 Obilip32.exe 1740 Picdejbg.exe 1116 Plbaafak.exe 2744 Pmamliin.exe 2932 Pembpkfi.exe 2784 Pacbel32.exe 2800 Pbcooo32.exe 2688 Qechqj32.exe 2652 Aoilcc32.exe 2084 Bdknfiea.exe 2928 Cjaieoko.exe 2544 Cfhjjp32.exe 684 Copobe32.exe 2232 Cldolj32.exe 2732 Cgnpmg32.exe 2444 Cnhhia32.exe 2176 Cgpmbgai.exe 2384 Dcgmgh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2556 aa81f2b20a103e7fa901931be8b9b4a0N.exe 2556 aa81f2b20a103e7fa901931be8b9b4a0N.exe 972 Oafjfokk.exe 972 Oafjfokk.exe 2864 Ohcohh32.exe 2864 Ohcohh32.exe 2944 Pjfdpckc.exe 2944 Pjfdpckc.exe 2724 Qpjchicb.exe 2724 Qpjchicb.exe 2636 Qhehmkqn.exe 2636 Qhehmkqn.exe 1020 Apeflmjc.exe 1020 Apeflmjc.exe 1168 Bgfdjfkh.exe 1168 Bgfdjfkh.exe 2588 Bapejd32.exe 2588 Bapejd32.exe 3024 Bnicddki.exe 3024 Bnicddki.exe 3040 Cnmlpd32.exe 3040 Cnmlpd32.exe 3016 Cnpieceq.exe 3016 Cnpieceq.exe 2840 Cjkcedgp.exe 2840 Cjkcedgp.exe 1480 Dmllgo32.exe 1480 Dmllgo32.exe 2260 Dlfbck32.exe 2260 Dlfbck32.exe 2064 Ejmljg32.exe 2064 Ejmljg32.exe 2160 Eoanij32.exe 2160 Eoanij32.exe 2448 Fljhmmci.exe 2448 Fljhmmci.exe 856 Fomndhng.exe 856 Fomndhng.exe 1528 Gaiijgbi.exe 1528 Gaiijgbi.exe 1336 Hcfenn32.exe 1336 Hcfenn32.exe 1972 Ifgooikk.exe 1972 Ifgooikk.exe 1040 Ioapnn32.exe 1040 Ioapnn32.exe 2400 Iijdfc32.exe 2400 Iijdfc32.exe 1356 Jmqckf32.exe 1356 Jmqckf32.exe 1572 Jjdcdjcm.exe 1572 Jjdcdjcm.exe 2472 Jfkdik32.exe 2472 Jfkdik32.exe 2352 Jfpndkel.exe 2352 Jfpndkel.exe 2752 Keekeg32.exe 2752 Keekeg32.exe 3068 Kopldl32.exe 3068 Kopldl32.exe 2684 Kldlmqml.exe 2684 Kldlmqml.exe 2616 Ldangbhd.exe 2616 Ldangbhd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Noagionb.dll Obbonk32.exe File created C:\Windows\SysWOW64\Jqmadn32.exe Jgdmkhnp.exe File created C:\Windows\SysWOW64\Okjenb32.dll Kaojiqej.exe File opened for modification C:\Windows\SysWOW64\Conmkh32.exe Cajmbd32.exe File created C:\Windows\SysWOW64\Gfdcdi32.exe Gmlokdgp.exe File created C:\Windows\SysWOW64\Bnicddki.exe Bapejd32.exe File created C:\Windows\SysWOW64\Pdcgpi32.dll Ifgooikk.exe File created C:\Windows\SysWOW64\Jgojopob.dll Llojpghe.exe File opened for modification C:\Windows\SysWOW64\Qohkdkdn.exe Pgmfph32.exe File created C:\Windows\SysWOW64\Chncajid.dll Fpphlp32.exe File opened for modification C:\Windows\SysWOW64\Pnminkof.exe Ogcaaahi.exe File created C:\Windows\SysWOW64\Eggpoami.dll Jakjlpif.exe File opened for modification C:\Windows\SysWOW64\Aeofcpjj.exe Aooaej32.exe File created C:\Windows\SysWOW64\Qlqagg32.dll Cgnkkjgd.exe File created C:\Windows\SysWOW64\Ilcfjkgj.exe Hnjonpgg.exe File created C:\Windows\SysWOW64\Lgieac32.dll Hohhfbkl.exe File created C:\Windows\SysWOW64\Aamhdckg.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Nhhkhfbh.dll Afhfpc32.exe File opened for modification C:\Windows\SysWOW64\Bapejd32.exe Bgfdjfkh.exe File created C:\Windows\SysWOW64\Fabppo32.exe Ecnpgj32.exe File created C:\Windows\SysWOW64\Kplogk32.dll Hkoikcaq.exe File opened for modification C:\Windows\SysWOW64\Kbjpqmhf.exe Kfcoll32.exe File opened for modification C:\Windows\SysWOW64\Lekeak32.exe Lpnlid32.exe File created C:\Windows\SysWOW64\Mognco32.exe Lggpdmap.exe File opened for modification C:\Windows\SysWOW64\Obbonk32.exe Ofkoijhc.exe File created C:\Windows\SysWOW64\Pcjmdd32.exe Phdiglap.exe File opened for modification C:\Windows\SysWOW64\Bimdka32.exe Bcqlcj32.exe File opened for modification C:\Windows\SysWOW64\Hchcmnlj.exe Gfdcdi32.exe File created C:\Windows\SysWOW64\Ohcohh32.exe Oafjfokk.exe File opened for modification C:\Windows\SysWOW64\Jodmdboj.exe Jjheklqc.exe File opened for modification C:\Windows\SysWOW64\Domgache.exe Dhcoei32.exe File opened for modification C:\Windows\SysWOW64\Aamhdckg.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Njeikpij.exe Nifmqm32.exe File created C:\Windows\SysWOW64\Hbmpoj32.exe Hchcmnlj.exe File opened for modification C:\Windows\SysWOW64\Jnaihhgf.exe Jkcllmhb.exe File opened for modification C:\Windows\SysWOW64\Belcck32.exe Biecoj32.exe File created C:\Windows\SysWOW64\Mnokki32.dll Hjdfgojp.exe File opened for modification C:\Windows\SysWOW64\Pgnpcg32.exe Pfmclold.exe File opened for modification C:\Windows\SysWOW64\Gkhenlcd.exe Ggjmhn32.exe File created C:\Windows\SysWOW64\Kjgjpiob.exe Kjdmjiae.exe File opened for modification C:\Windows\SysWOW64\Cjdonndl.exe Chccfe32.exe File opened for modification C:\Windows\SysWOW64\Flnpoe32.exe Fjmdgmnl.exe File created C:\Windows\SysWOW64\Cjmfag32.dll Ebhjdc32.exe File created C:\Windows\SysWOW64\Fcnmploa.dll Jkcllmhb.exe File created C:\Windows\SysWOW64\Baeanl32.exe Bkkiab32.exe File opened for modification C:\Windows\SysWOW64\Jofhqiec.exe Jimodo32.exe File created C:\Windows\SysWOW64\Kicmee32.dll Aoqjhiie.exe File opened for modification C:\Windows\SysWOW64\Cboljemb.exe Clecnk32.exe File created C:\Windows\SysWOW64\Cnpieceq.exe Cnmlpd32.exe File opened for modification C:\Windows\SysWOW64\Cnhhia32.exe Cgnpmg32.exe File created C:\Windows\SysWOW64\Akojljcj.dll Imgjfe32.exe File opened for modification C:\Windows\SysWOW64\Kdaoacif.exe Jodfilko.exe File opened for modification C:\Windows\SysWOW64\Ogcaaahi.exe Onkmhl32.exe File opened for modification C:\Windows\SysWOW64\Chafpfqp.exe Bagncl32.exe File created C:\Windows\SysWOW64\Aokdfe32.dll Odjikh32.exe File opened for modification C:\Windows\SysWOW64\Ndclpb32.exe Nnidchqp.exe File created C:\Windows\SysWOW64\Ecnajl32.dll Dopdgb32.exe File created C:\Windows\SysWOW64\Ipjlgf32.dll Mmaghc32.exe File created C:\Windows\SysWOW64\Mnbpgb32.exe Ljdgqc32.exe File created C:\Windows\SysWOW64\Kipqpl32.dll Depelp32.exe File opened for modification C:\Windows\SysWOW64\Hinolcbf.exe Hnhjok32.exe File created C:\Windows\SysWOW64\Ibfcei32.exe Hinolcbf.exe File created C:\Windows\SysWOW64\Pkdicckk.dll Cgnpmg32.exe File created C:\Windows\SysWOW64\Lpccqd32.dll Ndclpb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1760 1700 WerFault.exe 494 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjlpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaepoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpphlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeiekgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llalgdbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picdejbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjphff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbckh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnminkof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmaaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodmdboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlgdaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohifch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdaoacif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqakompl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjheklqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkeialfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekncjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjiffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihngj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmclold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighfecdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeqhlii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijkaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffomjgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigkmmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndjei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdhonoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpiig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbcgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqpdgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhjok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkike32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgiga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbaelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgiad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjglcmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdmkhnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meolcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcidgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opllclcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioapnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhjlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkbhco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjonpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgikklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnnhm32.dll" Linfpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnagehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhkhfbh.dll" Afhfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdknfiea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madiaabn.dll" Fpecddpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcqlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjlbh32.dll" Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amgdol32.dll" Okgpfjbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglfbk32.dll" Akhopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioapnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqgpq32.dll" Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnceoffd.dll" Bpdgolml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjglcmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ighfecdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlepmnhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iijdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpiikml.dll" Oqcffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfehhmgp.dll" Cfhjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcfbhb32.dll" Akpfmnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcmmhmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poqniegj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbqei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bodhlane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggpoami.dll" Jakjlpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbfjaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafpipoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkoadhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgghidfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mognco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofkoijhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belcck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqbacl32.dll" Bndckc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiepga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpaaa32.dll" Diklpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgkqq32.dll" Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjoiblj.dll" Ogigpllh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkniao32.dll" Kldlmqml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfdnnlbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnenojn.dll" Bagncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcleaanm.dll" Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node aa81f2b20a103e7fa901931be8b9b4a0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiljm32.dll" Mpmfoodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neojknfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihngj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaiijgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghnaaljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adcidm32.dll" Jgllof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkmakd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 972 2556 aa81f2b20a103e7fa901931be8b9b4a0N.exe 29 PID 2556 wrote to memory of 972 2556 aa81f2b20a103e7fa901931be8b9b4a0N.exe 29 PID 2556 wrote to memory of 972 2556 aa81f2b20a103e7fa901931be8b9b4a0N.exe 29 PID 2556 wrote to memory of 972 2556 aa81f2b20a103e7fa901931be8b9b4a0N.exe 29 PID 972 wrote to memory of 2864 972 Oafjfokk.exe 30 PID 972 wrote to memory of 2864 972 Oafjfokk.exe 30 PID 972 wrote to memory of 2864 972 Oafjfokk.exe 30 PID 972 wrote to memory of 2864 972 Oafjfokk.exe 30 PID 2864 wrote to memory of 2944 2864 Ohcohh32.exe 31 PID 2864 wrote to memory of 2944 2864 Ohcohh32.exe 31 PID 2864 wrote to memory of 2944 2864 Ohcohh32.exe 31 PID 2864 wrote to memory of 2944 2864 Ohcohh32.exe 31 PID 2944 wrote to memory of 2724 2944 Pjfdpckc.exe 32 PID 2944 wrote to memory of 2724 2944 Pjfdpckc.exe 32 PID 2944 wrote to memory of 2724 2944 Pjfdpckc.exe 32 PID 2944 wrote to memory of 2724 2944 Pjfdpckc.exe 32 PID 2724 wrote to memory of 2636 2724 Qpjchicb.exe 33 PID 2724 wrote to memory of 2636 2724 Qpjchicb.exe 33 PID 2724 wrote to memory of 2636 2724 Qpjchicb.exe 33 PID 2724 wrote to memory of 2636 2724 Qpjchicb.exe 33 PID 2636 wrote to memory of 1020 2636 Qhehmkqn.exe 34 PID 2636 wrote to memory of 1020 2636 Qhehmkqn.exe 34 PID 2636 wrote to memory of 1020 2636 Qhehmkqn.exe 34 PID 2636 wrote to memory of 1020 2636 Qhehmkqn.exe 34 PID 1020 wrote to memory of 1168 1020 Apeflmjc.exe 35 PID 1020 wrote to memory of 1168 1020 Apeflmjc.exe 35 PID 1020 wrote to memory of 1168 1020 Apeflmjc.exe 35 PID 1020 wrote to memory of 1168 1020 Apeflmjc.exe 35 PID 1168 wrote to memory of 2588 1168 Bgfdjfkh.exe 36 PID 1168 wrote to memory of 2588 1168 Bgfdjfkh.exe 36 PID 1168 wrote to memory of 2588 1168 Bgfdjfkh.exe 36 PID 1168 wrote to memory of 2588 1168 Bgfdjfkh.exe 36 PID 2588 wrote to memory of 3024 2588 Bapejd32.exe 37 PID 2588 wrote to memory of 3024 2588 Bapejd32.exe 37 PID 2588 wrote to memory of 3024 2588 Bapejd32.exe 37 PID 2588 wrote to memory of 3024 2588 Bapejd32.exe 37 PID 3024 wrote to memory of 3040 3024 Bnicddki.exe 38 PID 3024 wrote to memory of 3040 3024 Bnicddki.exe 38 PID 3024 wrote to memory of 3040 3024 Bnicddki.exe 38 PID 3024 wrote to memory of 3040 3024 Bnicddki.exe 38 PID 3040 wrote to memory of 3016 3040 Cnmlpd32.exe 39 PID 3040 wrote to memory of 3016 3040 Cnmlpd32.exe 39 PID 3040 wrote to memory of 3016 3040 Cnmlpd32.exe 39 PID 3040 wrote to memory of 3016 3040 Cnmlpd32.exe 39 PID 3016 wrote to memory of 2840 3016 Cnpieceq.exe 40 PID 3016 wrote to memory of 2840 3016 Cnpieceq.exe 40 PID 3016 wrote to memory of 2840 3016 Cnpieceq.exe 40 PID 3016 wrote to memory of 2840 3016 Cnpieceq.exe 40 PID 2840 wrote to memory of 1480 2840 Cjkcedgp.exe 41 PID 2840 wrote to memory of 1480 2840 Cjkcedgp.exe 41 PID 2840 wrote to memory of 1480 2840 Cjkcedgp.exe 41 PID 2840 wrote to memory of 1480 2840 Cjkcedgp.exe 41 PID 1480 wrote to memory of 2260 1480 Dmllgo32.exe 42 PID 1480 wrote to memory of 2260 1480 Dmllgo32.exe 42 PID 1480 wrote to memory of 2260 1480 Dmllgo32.exe 42 PID 1480 wrote to memory of 2260 1480 Dmllgo32.exe 42 PID 2260 wrote to memory of 2064 2260 Dlfbck32.exe 43 PID 2260 wrote to memory of 2064 2260 Dlfbck32.exe 43 PID 2260 wrote to memory of 2064 2260 Dlfbck32.exe 43 PID 2260 wrote to memory of 2064 2260 Dlfbck32.exe 43 PID 2064 wrote to memory of 2160 2064 Ejmljg32.exe 44 PID 2064 wrote to memory of 2160 2064 Ejmljg32.exe 44 PID 2064 wrote to memory of 2160 2064 Ejmljg32.exe 44 PID 2064 wrote to memory of 2160 2064 Ejmljg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa81f2b20a103e7fa901931be8b9b4a0N.exe"C:\Users\Admin\AppData\Local\Temp\aa81f2b20a103e7fa901931be8b9b4a0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Hcfenn32.exeC:\Windows\system32\Hcfenn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe38⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe39⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe40⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe41⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe43⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe46⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe47⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Obilip32.exeC:\Windows\system32\Obilip32.exe48⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe51⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe52⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Pacbel32.exeC:\Windows\system32\Pacbel32.exe53⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe54⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Aoilcc32.exeC:\Windows\system32\Aoilcc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe60⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe61⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe64⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dcgmgh32.exeC:\Windows\system32\Dcgmgh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe67⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe68⤵PID:1536
-
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe69⤵PID:1948
-
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe70⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe71⤵PID:772
-
C:\Windows\SysWOW64\Elleai32.exeC:\Windows\system32\Elleai32.exe72⤵PID:932
-
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Eeicenni.exeC:\Windows\system32\Eeicenni.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Elbkbh32.exeC:\Windows\system32\Elbkbh32.exe75⤵PID:2316
-
C:\Windows\SysWOW64\Ecnpgj32.exeC:\Windows\system32\Ecnpgj32.exe76⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe77⤵PID:1520
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe78⤵PID:2980
-
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe79⤵PID:2076
-
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe80⤵PID:2948
-
C:\Windows\SysWOW64\Flpkll32.exeC:\Windows\system32\Flpkll32.exe81⤵PID:2968
-
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe82⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe83⤵PID:3056
-
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe84⤵PID:1800
-
C:\Windows\SysWOW64\Gocpcfeb.exeC:\Windows\system32\Gocpcfeb.exe85⤵PID:2272
-
C:\Windows\SysWOW64\Gdpikmci.exeC:\Windows\system32\Gdpikmci.exe86⤵PID:660
-
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Ghnaaljp.exeC:\Windows\system32\Ghnaaljp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Gpiffngk.exeC:\Windows\system32\Gpiffngk.exe89⤵PID:640
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe90⤵PID:2496
-
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe91⤵PID:912
-
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe92⤵PID:1624
-
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe93⤵PID:1724
-
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe95⤵PID:2972
-
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe96⤵PID:1608
-
C:\Windows\SysWOW64\Hafbid32.exeC:\Windows\system32\Hafbid32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Hhbgkn32.exeC:\Windows\system32\Hhbgkn32.exe99⤵PID:1728
-
C:\Windows\SysWOW64\Ibklddof.exeC:\Windows\system32\Ibklddof.exe100⤵PID:3012
-
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe101⤵PID:2992
-
C:\Windows\SysWOW64\Ibmhjc32.exeC:\Windows\system32\Ibmhjc32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Indiodbh.exeC:\Windows\system32\Indiodbh.exe103⤵PID:2668
-
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe104⤵PID:2180
-
C:\Windows\SysWOW64\Inffdd32.exeC:\Windows\system32\Inffdd32.exe105⤵PID:2464
-
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe106⤵PID:2516
-
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe107⤵PID:2256
-
C:\Windows\SysWOW64\Jjocoedg.exeC:\Windows\system32\Jjocoedg.exe108⤵PID:436
-
C:\Windows\SysWOW64\Jbkhcg32.exeC:\Windows\system32\Jbkhcg32.exe109⤵PID:1588
-
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe110⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Jnaihhgf.exeC:\Windows\system32\Jnaihhgf.exe111⤵PID:2964
-
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe112⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe113⤵PID:2876
-
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe114⤵PID:2204
-
C:\Windows\SysWOW64\Jkjbml32.exeC:\Windows\system32\Jkjbml32.exe115⤵PID:2632
-
C:\Windows\SysWOW64\Kfccmini.exeC:\Windows\system32\Kfccmini.exe116⤵PID:3060
-
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe117⤵PID:2436
-
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe118⤵PID:1392
-
C:\Windows\SysWOW64\Nekbjf32.exeC:\Windows\system32\Nekbjf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe120⤵PID:2304
-
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe121⤵
- Drops file in System32 directory
PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-