Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 17:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b385c11f5b2ab9bb6ea9018f5ed99220N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b385c11f5b2ab9bb6ea9018f5ed99220N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b385c11f5b2ab9bb6ea9018f5ed99220N.exe
-
Size
448KB
-
MD5
b385c11f5b2ab9bb6ea9018f5ed99220
-
SHA1
3d38fb0761c20e18e5adb0c0c3ff6271a523800e
-
SHA256
6299d18b10506637566a56cc1f45b1b8d2381736eb9125823308e3e64708b7a9
-
SHA512
4f4da9aa846718ac45611cf14ecc9fd7e14c4b884d3ca0b3ab40b28cfe3855dc2537bdcc0a9457e06cd68076b73ea228b70bb6d5975d6477240c83b587b6dd24
-
SSDEEP
6144:jXOEA9S6s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAH9S7:TvA/705kWM/9J6gqGBf/sAHZHbgdhgi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjlfgml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbbeda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eidohiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihgndip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihkea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pneiaidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Genkhidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmana32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmndbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkmnpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iegaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higikdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhklfbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmfoodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpidagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnedpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhonegbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooiepnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlblmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikahkng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblcjohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldajoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feoihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkdhohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicfpkci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohglfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpecddpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpekggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafngggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidohiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napibq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebaggaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmamne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knapen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggohlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpcabef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbmnpfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchgnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbbedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgdcapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idqpjg32.exe -
Executes dropped EXE 64 IoCs
pid Process 3068 Dghlfe32.exe 2024 Dgkike32.exe 2392 Ekcdegqe.exe 2456 Fenedlec.exe 2880 Fhonegbd.exe 2768 Gjgmhaim.exe 2648 Gloppi32.exe 2404 Hanenoeh.exe 1864 Hphljkfk.exe 412 Iegaha32.exe 1536 Iackhb32.exe 1856 Jbgdcapi.exe 1760 Jobnej32.exe 3016 Kefmnp32.exe 2340 Kcmfeldm.exe 2228 Lpfdpmho.exe 828 Lhiodnob.exe 1820 Mlfgkleh.exe 1784 Mafmhcam.exe 2028 Mknaahhn.exe 2336 Mpmfoodb.exe 1288 Nppceo32.exe 596 Nihgndip.exe 756 Neaehelb.exe 2156 Nolffjap.exe 2212 Oggkklnk.exe 2160 Odkkdqmd.exe 2152 Onelbfab.exe 2116 Ooiepnen.exe 2712 Pcgnfl32.exe 2752 Pmbpda32.exe 2932 Pneiaidn.exe 2656 Pgpjpnhk.exe 1312 Qahnid32.exe 2704 Aifpcfjd.exe 2872 Amdhidqk.exe 1320 Apeakonl.exe 1636 Ahbcda32.exe 1772 Bhglpqeo.exe 1416 Bhiiepcl.exe 2332 Bbcjfn32.exe 2784 Blkoocfl.exe 2388 Cpigeblb.exe 676 Clphjc32.exe 1532 Cehlbihg.exe 2536 Cekihh32.exe 2436 Cocnanmd.exe 2320 Ddbbod32.exe 2272 Dpicceon.exe 1572 Djahmk32.exe 2236 Djhnmj32.exe 2888 Eligoe32.exe 2924 Eojpqpih.exe 2600 Ejcaanfg.exe 2844 Eggajb32.exe 2540 Edkbdf32.exe 2492 Fpecddpi.exe 592 Fjkgampo.exe 2580 Fpjlpclc.exe 2220 Fibqhibd.exe 456 Flcjjdpe.exe 1720 Gapbbk32.exe 536 Genkhidc.exe 640 Gmipmlan.exe -
Loads dropped DLL 64 IoCs
pid Process 2064 b385c11f5b2ab9bb6ea9018f5ed99220N.exe 2064 b385c11f5b2ab9bb6ea9018f5ed99220N.exe 3068 Dghlfe32.exe 3068 Dghlfe32.exe 2024 Dgkike32.exe 2024 Dgkike32.exe 2392 Ekcdegqe.exe 2392 Ekcdegqe.exe 2456 Fenedlec.exe 2456 Fenedlec.exe 2880 Fhonegbd.exe 2880 Fhonegbd.exe 2768 Gjgmhaim.exe 2768 Gjgmhaim.exe 2648 Gloppi32.exe 2648 Gloppi32.exe 2404 Hanenoeh.exe 2404 Hanenoeh.exe 1864 Hphljkfk.exe 1864 Hphljkfk.exe 412 Iegaha32.exe 412 Iegaha32.exe 1536 Iackhb32.exe 1536 Iackhb32.exe 1856 Jbgdcapi.exe 1856 Jbgdcapi.exe 1760 Jobnej32.exe 1760 Jobnej32.exe 3016 Kefmnp32.exe 3016 Kefmnp32.exe 2340 Kcmfeldm.exe 2340 Kcmfeldm.exe 2228 Lpfdpmho.exe 2228 Lpfdpmho.exe 828 Lhiodnob.exe 828 Lhiodnob.exe 1820 Mlfgkleh.exe 1820 Mlfgkleh.exe 1784 Mafmhcam.exe 1784 Mafmhcam.exe 2028 Mknaahhn.exe 2028 Mknaahhn.exe 2336 Mpmfoodb.exe 2336 Mpmfoodb.exe 1288 Nppceo32.exe 1288 Nppceo32.exe 596 Nihgndip.exe 596 Nihgndip.exe 756 Neaehelb.exe 756 Neaehelb.exe 2156 Nolffjap.exe 2156 Nolffjap.exe 2212 Oggkklnk.exe 2212 Oggkklnk.exe 2160 Odkkdqmd.exe 2160 Odkkdqmd.exe 2152 Onelbfab.exe 2152 Onelbfab.exe 2116 Ooiepnen.exe 2116 Ooiepnen.exe 2712 Pcgnfl32.exe 2712 Pcgnfl32.exe 2752 Pmbpda32.exe 2752 Pmbpda32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Edokna32.exe Dkggel32.exe File opened for modification C:\Windows\SysWOW64\Ggabhmge.exe Gglimm32.exe File created C:\Windows\SysWOW64\Jnogne32.dll Hhobbqkc.exe File created C:\Windows\SysWOW64\Dadkdj32.exe Cndbbolm.exe File created C:\Windows\SysWOW64\Mnknch32.dll Oldajoho.exe File opened for modification C:\Windows\SysWOW64\Eidohiac.exe Eiabbicf.exe File created C:\Windows\SysWOW64\Abopnhlp.dll Fhikiefk.exe File created C:\Windows\SysWOW64\Cocnanmd.exe Cekihh32.exe File opened for modification C:\Windows\SysWOW64\Hkoikcaq.exe Hohhfbkl.exe File created C:\Windows\SysWOW64\Ilneef32.exe Hkoikcaq.exe File created C:\Windows\SysWOW64\Gimmbg32.exe Gaahmd32.exe File created C:\Windows\SysWOW64\Mcdman32.dll Gaahmd32.exe File created C:\Windows\SysWOW64\Lpcppgff.exe Kbppfb32.exe File created C:\Windows\SysWOW64\Efeaqi32.exe Elmmhc32.exe File created C:\Windows\SysWOW64\Iobkgo32.dll Mnllppfh.exe File created C:\Windows\SysWOW64\Omemciec.dll Ddjkhl32.exe File opened for modification C:\Windows\SysWOW64\Mghjcq32.exe Lcjamb32.exe File created C:\Windows\SysWOW64\Hnkboc32.dll Hembfo32.exe File opened for modification C:\Windows\SysWOW64\Bgmjla32.exe Bcoafcjk.exe File opened for modification C:\Windows\SysWOW64\Cekihh32.exe Cehlbihg.exe File opened for modification C:\Windows\SysWOW64\Mgkghp32.exe Mghjcq32.exe File opened for modification C:\Windows\SysWOW64\Hgdhakpb.exe Gbecce32.exe File created C:\Windows\SysWOW64\Epgqddoh.exe Encgglkm.exe File created C:\Windows\SysWOW64\Fpecddpi.exe Edkbdf32.exe File created C:\Windows\SysWOW64\Jomnpdjb.exe Jcfmkcdn.exe File opened for modification C:\Windows\SysWOW64\Qjnoacdc.exe Pfpflenm.exe File created C:\Windows\SysWOW64\Coacdg32.exe Cefbfa32.exe File opened for modification C:\Windows\SysWOW64\Aacknfhl.exe Akical32.exe File created C:\Windows\SysWOW64\Edkode32.dll Lpcppgff.exe File opened for modification C:\Windows\SysWOW64\Jlddbgai.exe Jggljqcb.exe File opened for modification C:\Windows\SysWOW64\Ialpfeno.exe Ihclmp32.exe File created C:\Windows\SysWOW64\Lohlcoid.exe Lfpgkicd.exe File created C:\Windows\SysWOW64\Cmfnedeb.dll Pkdknq32.exe File created C:\Windows\SysWOW64\Dlppgihj.exe Dlmcaijm.exe File opened for modification C:\Windows\SysWOW64\Infhmmhi.exe Iiiogoac.exe File created C:\Windows\SysWOW64\Pmbabjia.dll Emkanhnb.exe File created C:\Windows\SysWOW64\Egbgjake.dll Gemham32.exe File created C:\Windows\SysWOW64\Hoflpbmo.exe Hbokkagk.exe File created C:\Windows\SysWOW64\Jcfmkcdn.exe Idqpjg32.exe File created C:\Windows\SysWOW64\Fogipnjj.exe Fmfpnb32.exe File created C:\Windows\SysWOW64\Kchhholk.exe Kcflbpnn.exe File opened for modification C:\Windows\SysWOW64\Laahjdib.exe Kdkkkqlk.exe File created C:\Windows\SysWOW64\Mqkgeb32.dll Cpigeblb.exe File opened for modification C:\Windows\SysWOW64\Djhnmj32.exe Djahmk32.exe File created C:\Windows\SysWOW64\Kljgohme.dll Aggbif32.exe File created C:\Windows\SysWOW64\Cgockh32.dll Kpecad32.exe File opened for modification C:\Windows\SysWOW64\Feblho32.exe Fapgolal.exe File opened for modification C:\Windows\SysWOW64\Pjpdlj32.exe Phbhpo32.exe File created C:\Windows\SysWOW64\Jficbn32.exe Jhebij32.exe File opened for modification C:\Windows\SysWOW64\Ohofimje.exe Ohljcnlh.exe File created C:\Windows\SysWOW64\Lpnhmi32.dll Fqeagpop.exe File opened for modification C:\Windows\SysWOW64\Fejmda32.exe Eiapjq32.exe File created C:\Windows\SysWOW64\Hbdamjng.dll Keadoe32.exe File created C:\Windows\SysWOW64\Cmpjel32.dll Moqkgmol.exe File opened for modification C:\Windows\SysWOW64\Immnlh32.exe Hafngggd.exe File created C:\Windows\SysWOW64\Mhpnpeei.dll Eidohiac.exe File created C:\Windows\SysWOW64\Panoee32.dll Genkhidc.exe File created C:\Windows\SysWOW64\Eaojgf32.dll Hjdfgojp.exe File created C:\Windows\SysWOW64\Diaimceg.dll Pqfdlmic.exe File created C:\Windows\SysWOW64\Hcpphd32.dll Ipqmgbbf.exe File created C:\Windows\SysWOW64\Glaejokn.exe Fkphcg32.exe File created C:\Windows\SysWOW64\Mbmfpdcn.dll Gloppi32.exe File opened for modification C:\Windows\SysWOW64\Ocmdeg32.exe Omnpgqdo.exe File opened for modification C:\Windows\SysWOW64\Ffdgef32.exe Fcfjik32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2076 2772 WerFault.exe 508 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqmgbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlebeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppgfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnojkck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldcblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihefjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opdffmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glaejokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegnom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b385c11f5b2ab9bb6ea9018f5ed99220N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhonegbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfpilmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnqae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iicoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcooinfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpicceon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipmlan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfpoimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmqip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfflnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jankcafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkgampo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiogoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbbod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfgojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imccco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldajoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnanceem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqkgmol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcaanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpijngn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdaajl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnnlmob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfeldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhobbqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghjcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfnca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifckaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapgolal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higikdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldbbbno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidohiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcjqkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjqjoolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkjknji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifgml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgdcapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neaehelb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekihh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khmamhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khonbhch.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpldgohk.dll" Lfanep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkclcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boppmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dghlfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npempg32.dll" Gmipmlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafacbhp.dll" Qjnoacdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjgjj32.dll" Doipoldo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikgkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngmbfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicfpkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nppgfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcaekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgdcapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnoacdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlkonhkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnnidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nldbbbno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neaehelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcflbpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchqgahd.dll" Amjmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moqkgmol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkcmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanenoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcjamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihkea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghlfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlmqip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkphcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncqmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbankjel.dll" Ihefjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbaqfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjjmc32.dll" Iikgkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdngph32.dll" Nppgfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjgmhaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcqldm32.dll" Jnfdlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Badlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhnggo32.dll" Dpifln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edenlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggifmgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkedoid.dll" Ljafifbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eidohiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbkgfki.dll" Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqaki32.dll" Jnlkkkod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olhhmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfldhhnk.dll" Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgibjo32.dll" Fchgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohlcoid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfnedeb.dll" Pkdknq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhofpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeejpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdddpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgkmkdcp.dll" Anbaqfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmcogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfimf32.dll" Bijakkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpigeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhipcbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldpeojc.dll" Eddgaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 3068 2064 b385c11f5b2ab9bb6ea9018f5ed99220N.exe 29 PID 2064 wrote to memory of 3068 2064 b385c11f5b2ab9bb6ea9018f5ed99220N.exe 29 PID 2064 wrote to memory of 3068 2064 b385c11f5b2ab9bb6ea9018f5ed99220N.exe 29 PID 2064 wrote to memory of 3068 2064 b385c11f5b2ab9bb6ea9018f5ed99220N.exe 29 PID 3068 wrote to memory of 2024 3068 Dghlfe32.exe 30 PID 3068 wrote to memory of 2024 3068 Dghlfe32.exe 30 PID 3068 wrote to memory of 2024 3068 Dghlfe32.exe 30 PID 3068 wrote to memory of 2024 3068 Dghlfe32.exe 30 PID 2024 wrote to memory of 2392 2024 Dgkike32.exe 31 PID 2024 wrote to memory of 2392 2024 Dgkike32.exe 31 PID 2024 wrote to memory of 2392 2024 Dgkike32.exe 31 PID 2024 wrote to memory of 2392 2024 Dgkike32.exe 31 PID 2392 wrote to memory of 2456 2392 Ekcdegqe.exe 32 PID 2392 wrote to memory of 2456 2392 Ekcdegqe.exe 32 PID 2392 wrote to memory of 2456 2392 Ekcdegqe.exe 32 PID 2392 wrote to memory of 2456 2392 Ekcdegqe.exe 32 PID 2456 wrote to memory of 2880 2456 Fenedlec.exe 33 PID 2456 wrote to memory of 2880 2456 Fenedlec.exe 33 PID 2456 wrote to memory of 2880 2456 Fenedlec.exe 33 PID 2456 wrote to memory of 2880 2456 Fenedlec.exe 33 PID 2880 wrote to memory of 2768 2880 Fhonegbd.exe 34 PID 2880 wrote to memory of 2768 2880 Fhonegbd.exe 34 PID 2880 wrote to memory of 2768 2880 Fhonegbd.exe 34 PID 2880 wrote to memory of 2768 2880 Fhonegbd.exe 34 PID 2768 wrote to memory of 2648 2768 Gjgmhaim.exe 35 PID 2768 wrote to memory of 2648 2768 Gjgmhaim.exe 35 PID 2768 wrote to memory of 2648 2768 Gjgmhaim.exe 35 PID 2768 wrote to memory of 2648 2768 Gjgmhaim.exe 35 PID 2648 wrote to memory of 2404 2648 Gloppi32.exe 36 PID 2648 wrote to memory of 2404 2648 Gloppi32.exe 36 PID 2648 wrote to memory of 2404 2648 Gloppi32.exe 36 PID 2648 wrote to memory of 2404 2648 Gloppi32.exe 36 PID 2404 wrote to memory of 1864 2404 Hanenoeh.exe 37 PID 2404 wrote to memory of 1864 2404 Hanenoeh.exe 37 PID 2404 wrote to memory of 1864 2404 Hanenoeh.exe 37 PID 2404 wrote to memory of 1864 2404 Hanenoeh.exe 37 PID 1864 wrote to memory of 412 1864 Hphljkfk.exe 38 PID 1864 wrote to memory of 412 1864 Hphljkfk.exe 38 PID 1864 wrote to memory of 412 1864 Hphljkfk.exe 38 PID 1864 wrote to memory of 412 1864 Hphljkfk.exe 38 PID 412 wrote to memory of 1536 412 Iegaha32.exe 39 PID 412 wrote to memory of 1536 412 Iegaha32.exe 39 PID 412 wrote to memory of 1536 412 Iegaha32.exe 39 PID 412 wrote to memory of 1536 412 Iegaha32.exe 39 PID 1536 wrote to memory of 1856 1536 Iackhb32.exe 40 PID 1536 wrote to memory of 1856 1536 Iackhb32.exe 40 PID 1536 wrote to memory of 1856 1536 Iackhb32.exe 40 PID 1536 wrote to memory of 1856 1536 Iackhb32.exe 40 PID 1856 wrote to memory of 1760 1856 Jbgdcapi.exe 41 PID 1856 wrote to memory of 1760 1856 Jbgdcapi.exe 41 PID 1856 wrote to memory of 1760 1856 Jbgdcapi.exe 41 PID 1856 wrote to memory of 1760 1856 Jbgdcapi.exe 41 PID 1760 wrote to memory of 3016 1760 Jobnej32.exe 42 PID 1760 wrote to memory of 3016 1760 Jobnej32.exe 42 PID 1760 wrote to memory of 3016 1760 Jobnej32.exe 42 PID 1760 wrote to memory of 3016 1760 Jobnej32.exe 42 PID 3016 wrote to memory of 2340 3016 Kefmnp32.exe 43 PID 3016 wrote to memory of 2340 3016 Kefmnp32.exe 43 PID 3016 wrote to memory of 2340 3016 Kefmnp32.exe 43 PID 3016 wrote to memory of 2340 3016 Kefmnp32.exe 43 PID 2340 wrote to memory of 2228 2340 Kcmfeldm.exe 44 PID 2340 wrote to memory of 2228 2340 Kcmfeldm.exe 44 PID 2340 wrote to memory of 2228 2340 Kcmfeldm.exe 44 PID 2340 wrote to memory of 2228 2340 Kcmfeldm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b385c11f5b2ab9bb6ea9018f5ed99220N.exe"C:\Users\Admin\AppData\Local\Temp\b385c11f5b2ab9bb6ea9018f5ed99220N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Dghlfe32.exeC:\Windows\system32\Dghlfe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Dgkike32.exeC:\Windows\system32\Dgkike32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Iegaha32.exeC:\Windows\system32\Iegaha32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe34⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe35⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe36⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe37⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe38⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Ahbcda32.exeC:\Windows\system32\Ahbcda32.exe39⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe40⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe41⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe42⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe43⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe45⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe52⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Eligoe32.exeC:\Windows\system32\Eligoe32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Eojpqpih.exeC:\Windows\system32\Eojpqpih.exe54⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe56⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Fpecddpi.exeC:\Windows\system32\Fpecddpi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe60⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Fibqhibd.exeC:\Windows\system32\Fibqhibd.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe62⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Gpihog32.exeC:\Windows\system32\Gpihog32.exe66⤵PID:868
-
C:\Windows\SysWOW64\Gjomlp32.exeC:\Windows\system32\Gjomlp32.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe68⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Hjdfgojp.exeC:\Windows\system32\Hjdfgojp.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe70⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Hoflpbmo.exeC:\Windows\system32\Hoflpbmo.exe71⤵PID:2812
-
C:\Windows\SysWOW64\Hohhfbkl.exeC:\Windows\system32\Hohhfbkl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Hkoikcaq.exeC:\Windows\system32\Hkoikcaq.exe73⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Ilneef32.exeC:\Windows\system32\Ilneef32.exe74⤵PID:2372
-
C:\Windows\SysWOW64\Ihefjg32.exeC:\Windows\system32\Ihefjg32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Iiiogoac.exeC:\Windows\system32\Iiiogoac.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Infhmmhi.exeC:\Windows\system32\Infhmmhi.exe77⤵PID:276
-
C:\Windows\SysWOW64\Idqpjg32.exeC:\Windows\system32\Idqpjg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Jcfmkcdn.exeC:\Windows\system32\Jcfmkcdn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Jomnpdjb.exeC:\Windows\system32\Jomnpdjb.exe80⤵PID:2244
-
C:\Windows\SysWOW64\Jhebij32.exeC:\Windows\system32\Jhebij32.exe81⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Jficbn32.exeC:\Windows\system32\Jficbn32.exe82⤵PID:1748
-
C:\Windows\SysWOW64\Jdnpck32.exeC:\Windows\system32\Jdnpck32.exe83⤵PID:1848
-
C:\Windows\SysWOW64\Jnfdlpje.exeC:\Windows\system32\Jnfdlpje.exe84⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Kjmeaa32.exeC:\Windows\system32\Kjmeaa32.exe85⤵PID:2544
-
C:\Windows\SysWOW64\Kkmakd32.exeC:\Windows\system32\Kkmakd32.exe86⤵PID:2912
-
C:\Windows\SysWOW64\Kffblb32.exeC:\Windows\system32\Kffblb32.exe87⤵PID:316
-
C:\Windows\SysWOW64\Kfioaaah.exeC:\Windows\system32\Kfioaaah.exe88⤵PID:588
-
C:\Windows\SysWOW64\Kbppfb32.exeC:\Windows\system32\Kbppfb32.exe89⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Lpcppgff.exeC:\Windows\system32\Lpcppgff.exe90⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Lfpebq32.exeC:\Windows\system32\Lfpebq32.exe91⤵PID:2788
-
C:\Windows\SysWOW64\Liqnclia.exeC:\Windows\system32\Liqnclia.exe92⤵PID:1200
-
C:\Windows\SysWOW64\Lnmglbgh.exeC:\Windows\system32\Lnmglbgh.exe93⤵PID:1124
-
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Lcllii32.exeC:\Windows\system32\Lcllii32.exe95⤵PID:2140
-
C:\Windows\SysWOW64\Mmepboin.exeC:\Windows\system32\Mmepboin.exe96⤵PID:236
-
C:\Windows\SysWOW64\Mabihm32.exeC:\Windows\system32\Mabihm32.exe97⤵PID:1832
-
C:\Windows\SysWOW64\Napibq32.exeC:\Windows\system32\Napibq32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Nhlndj32.exeC:\Windows\system32\Nhlndj32.exe99⤵PID:1592
-
C:\Windows\SysWOW64\Ngajeg32.exeC:\Windows\system32\Ngajeg32.exe100⤵PID:2096
-
C:\Windows\SysWOW64\Nchkjhdh.exeC:\Windows\system32\Nchkjhdh.exe101⤵PID:2260
-
C:\Windows\SysWOW64\Omnpgqdo.exeC:\Windows\system32\Omnpgqdo.exe102⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ocmdeg32.exeC:\Windows\system32\Ocmdeg32.exe103⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Ohljcnlh.exeC:\Windows\system32\Ohljcnlh.exe104⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Ohofimje.exeC:\Windows\system32\Ohofimje.exe105⤵PID:2856
-
C:\Windows\SysWOW64\Onkoadhm.exeC:\Windows\system32\Onkoadhm.exe106⤵PID:2044
-
C:\Windows\SysWOW64\Pokkkgpo.exeC:\Windows\system32\Pokkkgpo.exe107⤵PID:2192
-
C:\Windows\SysWOW64\Pgfpoimj.exeC:\Windows\system32\Pgfpoimj.exe108⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Pkdiehca.exeC:\Windows\system32\Pkdiehca.exe109⤵PID:1032
-
C:\Windows\SysWOW64\Pconjjql.exeC:\Windows\system32\Pconjjql.exe110⤵PID:924
-
C:\Windows\SysWOW64\Pfpflenm.exeC:\Windows\system32\Pfpflenm.exe111⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Qjnoacdc.exeC:\Windows\system32\Qjnoacdc.exe112⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Qegpbaqb.exeC:\Windows\system32\Qegpbaqb.exe113⤵PID:2208
-
C:\Windows\SysWOW64\Anpekggc.exeC:\Windows\system32\Anpekggc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Anbaqfep.exeC:\Windows\system32\Anbaqfep.exe115⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Aacjba32.exeC:\Windows\system32\Aacjba32.exe116⤵PID:2572
-
C:\Windows\SysWOW64\Agoodkgk.exeC:\Windows\system32\Agoodkgk.exe117⤵PID:1712
-
C:\Windows\SysWOW64\Acfpilmp.exeC:\Windows\system32\Acfpilmp.exe118⤵
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Bmndbb32.exeC:\Windows\system32\Bmndbb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Bmaaha32.exeC:\Windows\system32\Bmaaha32.exe120⤵PID:2476
-
C:\Windows\SysWOW64\Bbnjphpe.exeC:\Windows\system32\Bbnjphpe.exe121⤵PID:1628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-