Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 02:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe
-
Size
352KB
-
MD5
2eade189d3682eb3d01831f764a39c1b
-
SHA1
dc58af7b2481610efc85fb90affa77e028b923f1
-
SHA256
c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c
-
SHA512
47f3ebd9bed90fce94de9d5c9a12ee9e7df433e1de14e6480a5f916a4d5e4b9899322b5d5d2467826193c2a4c59cb4f8396be22a14dc932fdeba7cf3555bc64e
-
SSDEEP
6144:zxmBdZz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:FmBksUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nakikpin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqffonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poacighp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmepanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negeln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkojoghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldpiifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegnglnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfmeag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfkkeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpjnmlel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmklak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmgifa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmafngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjmidcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongckp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgcecja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkjmcmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdlacfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmbknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffqqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neibanod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2176 Bedamd32.exe 2708 Befnbd32.exe 2672 Cppobaeb.exe 2724 Cpbkhabp.exe 2600 Cpdhna32.exe 2012 Cccdjl32.exe 2960 Cpiaipmh.exe 1016 Donojm32.exe 2920 Ddkgbc32.exe 2972 Dkeoongd.exe 2944 Dkgldm32.exe 1216 Djoeki32.exe 1020 Dqinhcoc.exe 2172 Ecgjdong.exe 1296 Eqkjmcmq.exe 1028 Efhcej32.exe 1912 Eqngcc32.exe 2528 Ebockkal.exe 1640 Eiilge32.exe 1584 Ecnpdnho.exe 1616 Feipbefb.exe 2504 Fdlpnamm.exe 1152 Fnadkjlc.exe 1272 Gminbfoh.exe 3032 Gpgjnbnl.exe 2764 Gbffjmmp.exe 2324 Golgon32.exe 2580 Ghghnc32.exe 2572 Glbdnbpk.exe 1260 Gbmlkl32.exe 1892 Hmfmkjdf.exe 2980 Hadfah32.exe 1408 Hpgfmeag.exe 3048 Hdeoccgn.exe 2164 Hgckoofa.exe 2412 Hpnlndkp.exe 1052 Hoalia32.exe 2884 Iaaekl32.exe 2516 Ijimli32.exe 444 Ikjjda32.exe 1464 Ihnjmf32.exe 1748 Ilifndlo.exe 316 Inkcem32.exe 2060 Idekbgji.exe 1916 Iojopp32.exe 2028 Idghhf32.exe 1424 Igeddb32.exe 2212 Ijdppm32.exe 1920 Jqnhmgmk.exe 2780 Jjfmem32.exe 2812 Jmdiahco.exe 2604 Jdlacfca.exe 2608 Jfmnkn32.exe 1212 Joebccpp.exe 1740 Jcandb32.exe 2284 Jfojpn32.exe 2752 Jmibmhoj.exe 2280 Jbfkeo32.exe 2432 Jipcbidn.exe 1852 Jojloc32.exe 2396 Jcfgoadd.exe 2340 Jfddkmch.exe 584 Knohpo32.exe 2020 Kffqqm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2840 c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe 2840 c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe 2176 Bedamd32.exe 2176 Bedamd32.exe 2708 Befnbd32.exe 2708 Befnbd32.exe 2672 Cppobaeb.exe 2672 Cppobaeb.exe 2724 Cpbkhabp.exe 2724 Cpbkhabp.exe 2600 Cpdhna32.exe 2600 Cpdhna32.exe 2012 Cccdjl32.exe 2012 Cccdjl32.exe 2960 Cpiaipmh.exe 2960 Cpiaipmh.exe 1016 Donojm32.exe 1016 Donojm32.exe 2920 Ddkgbc32.exe 2920 Ddkgbc32.exe 2972 Dkeoongd.exe 2972 Dkeoongd.exe 2944 Dkgldm32.exe 2944 Dkgldm32.exe 1216 Djoeki32.exe 1216 Djoeki32.exe 1020 Dqinhcoc.exe 1020 Dqinhcoc.exe 2172 Ecgjdong.exe 2172 Ecgjdong.exe 1296 Eqkjmcmq.exe 1296 Eqkjmcmq.exe 1028 Efhcej32.exe 1028 Efhcej32.exe 1912 Eqngcc32.exe 1912 Eqngcc32.exe 2528 Ebockkal.exe 2528 Ebockkal.exe 1640 Eiilge32.exe 1640 Eiilge32.exe 1584 Ecnpdnho.exe 1584 Ecnpdnho.exe 1616 Feipbefb.exe 1616 Feipbefb.exe 2504 Fdlpnamm.exe 2504 Fdlpnamm.exe 1152 Fnadkjlc.exe 1152 Fnadkjlc.exe 1272 Gminbfoh.exe 1272 Gminbfoh.exe 3032 Gpgjnbnl.exe 3032 Gpgjnbnl.exe 2764 Gbffjmmp.exe 2764 Gbffjmmp.exe 2324 Golgon32.exe 2324 Golgon32.exe 2580 Ghghnc32.exe 2580 Ghghnc32.exe 2572 Glbdnbpk.exe 2572 Glbdnbpk.exe 1260 Gbmlkl32.exe 1260 Gbmlkl32.exe 1892 Hmfmkjdf.exe 1892 Hmfmkjdf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Emokgnoa.dll Lbagpp32.exe File created C:\Windows\SysWOW64\Mghfdcdi.exe Mdjihgef.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Ckiiiine.exe File created C:\Windows\SysWOW64\Donojm32.exe Cpiaipmh.exe File created C:\Windows\SysWOW64\Feipbefb.exe Ecnpdnho.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Fdlpnamm.exe File created C:\Windows\SysWOW64\Hpgfmeag.exe Hadfah32.exe File created C:\Windows\SysWOW64\Lfdpjp32.exe Kaggbihl.exe File opened for modification C:\Windows\SysWOW64\Glbdnbpk.exe Ghghnc32.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hmfmkjdf.exe File opened for modification C:\Windows\SysWOW64\Jfmnkn32.exe Jdlacfca.exe File created C:\Windows\SysWOW64\Gjbcnmen.dll Pnkiebib.exe File created C:\Windows\SysWOW64\Hgeckn32.dll Nakikpin.exe File opened for modification C:\Windows\SysWOW64\Bkkioeig.exe Bdaabk32.exe File opened for modification C:\Windows\SysWOW64\Ebockkal.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Iojopp32.exe Idekbgji.exe File created C:\Windows\SysWOW64\Knfopnkk.exe Klhbdclg.exe File created C:\Windows\SysWOW64\Lmbabj32.exe Ligfakaa.exe File opened for modification C:\Windows\SysWOW64\Mgmoob32.exe Mpcgbhig.exe File created C:\Windows\SysWOW64\Ckmagikg.dll Ecnpdnho.exe File created C:\Windows\SysWOW64\Nelgfoke.dll Jipcbidn.exe File created C:\Windows\SysWOW64\Ndmdqcnk.dll Ollqllod.exe File created C:\Windows\SysWOW64\Defhonof.dll Pgaahh32.exe File created C:\Windows\SysWOW64\Fkbhkj32.dll c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe File opened for modification C:\Windows\SysWOW64\Kbmafngi.exe Kpoejbhe.exe File created C:\Windows\SysWOW64\Ikimqk32.dll Jfojpn32.exe File created C:\Windows\SysWOW64\Dmddik32.dll Mmpakm32.exe File opened for modification C:\Windows\SysWOW64\Mpcgbhig.exe Mlgkbi32.exe File opened for modification C:\Windows\SysWOW64\Ooofcg32.exe Omqjgl32.exe File created C:\Windows\SysWOW64\Cmpbigma.dll Bjiljf32.exe File created C:\Windows\SysWOW64\Bejehklc.dll Lodnjboi.exe File created C:\Windows\SysWOW64\Dknnijed.dll Mebpakbq.exe File created C:\Windows\SysWOW64\Ogaeieoj.exe Ocfiif32.exe File created C:\Windows\SysWOW64\Dkeoongd.exe Ddkgbc32.exe File created C:\Windows\SysWOW64\Eiilge32.exe Ebockkal.exe File created C:\Windows\SysWOW64\Hmfmkjdf.exe Gbmlkl32.exe File opened for modification C:\Windows\SysWOW64\Hdeoccgn.exe Hpgfmeag.exe File opened for modification C:\Windows\SysWOW64\Kmklak32.exe Kfacdqhf.exe File created C:\Windows\SysWOW64\Mhcqcl32.dll Pfnhkq32.exe File created C:\Windows\SysWOW64\Bpjnmlel.exe Biqfpb32.exe File created C:\Windows\SysWOW64\Cdklmlof.dll Ikjjda32.exe File created C:\Windows\SysWOW64\Kffqqm32.exe Knohpo32.exe File opened for modification C:\Windows\SysWOW64\Nkaane32.exe Nloachkf.exe File created C:\Windows\SysWOW64\Mafalppn.dll Oqjibkek.exe File opened for modification C:\Windows\SysWOW64\Idghhf32.exe Iojopp32.exe File created C:\Windows\SysWOW64\Bjpjcm32.dll Mgmoob32.exe File opened for modification C:\Windows\SysWOW64\Nnbjpqoa.exe Nlanhh32.exe File created C:\Windows\SysWOW64\Ogdaod32.exe Oqjibkek.exe File created C:\Windows\SysWOW64\Jacgio32.dll Ecgjdong.exe File opened for modification C:\Windows\SysWOW64\Oabplobe.exe Ongckp32.exe File created C:\Windows\SysWOW64\Clhecl32.exe Cdamao32.exe File created C:\Windows\SysWOW64\Aemmee32.dll Qmepanje.exe File created C:\Windows\SysWOW64\Flffpf32.dll Bkkioeig.exe File created C:\Windows\SysWOW64\Lfehem32.dll Cdamao32.exe File created C:\Windows\SysWOW64\Malbbh32.dll Dkeoongd.exe File opened for modification C:\Windows\SysWOW64\Hmfmkjdf.exe Gbmlkl32.exe File opened for modification C:\Windows\SysWOW64\Iaaekl32.exe Hoalia32.exe File created C:\Windows\SysWOW64\Bjjbkefk.dll Nikkkn32.exe File created C:\Windows\SysWOW64\Ikicmc32.dll Pioamlkk.exe File created C:\Windows\SysWOW64\Hclmphpn.dll Cccdjl32.exe File created C:\Windows\SysWOW64\Jpdihq32.dll Glbdnbpk.exe File created C:\Windows\SysWOW64\Ollqllod.exe Ojndpqpq.exe File created C:\Windows\SysWOW64\Omnmal32.exe Ogaeieoj.exe File created C:\Windows\SysWOW64\Gfbejp32.dll Alaccj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coindgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfmeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmlkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfkidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjiljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqnhmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloachkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aankkqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepanje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbkhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbdnbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobleeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acohnhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbagpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npechhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admgglep.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfmjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabplobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inkcem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfhpd32.dll" Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimbbpmc.dll" Nlanhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimecp32.dll" Hdeoccgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdcofop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjkbmim.dll" Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facqnfnm.dll" Pfkkeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meemgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkiebib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbkhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihnjmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmibmhoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelmbifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alaccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbejp32.dll" Alaccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll" Biqfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdpjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphehidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll" Cbkgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojbnkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkng32.dll" Ilifndlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ligfakaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmddik32.dll" Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfkkeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll" Donojm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciepkajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelgfoke.dll" Jipcbidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngjcj32.dll" Nndgeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimlibmn.dll" Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfjmik.dll" Mkohjbah.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2176 2840 c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe 30 PID 2840 wrote to memory of 2176 2840 c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe 30 PID 2840 wrote to memory of 2176 2840 c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe 30 PID 2840 wrote to memory of 2176 2840 c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe 30 PID 2176 wrote to memory of 2708 2176 Bedamd32.exe 31 PID 2176 wrote to memory of 2708 2176 Bedamd32.exe 31 PID 2176 wrote to memory of 2708 2176 Bedamd32.exe 31 PID 2176 wrote to memory of 2708 2176 Bedamd32.exe 31 PID 2708 wrote to memory of 2672 2708 Befnbd32.exe 32 PID 2708 wrote to memory of 2672 2708 Befnbd32.exe 32 PID 2708 wrote to memory of 2672 2708 Befnbd32.exe 32 PID 2708 wrote to memory of 2672 2708 Befnbd32.exe 32 PID 2672 wrote to memory of 2724 2672 Cppobaeb.exe 33 PID 2672 wrote to memory of 2724 2672 Cppobaeb.exe 33 PID 2672 wrote to memory of 2724 2672 Cppobaeb.exe 33 PID 2672 wrote to memory of 2724 2672 Cppobaeb.exe 33 PID 2724 wrote to memory of 2600 2724 Cpbkhabp.exe 34 PID 2724 wrote to memory of 2600 2724 Cpbkhabp.exe 34 PID 2724 wrote to memory of 2600 2724 Cpbkhabp.exe 34 PID 2724 wrote to memory of 2600 2724 Cpbkhabp.exe 34 PID 2600 wrote to memory of 2012 2600 Cpdhna32.exe 35 PID 2600 wrote to memory of 2012 2600 Cpdhna32.exe 35 PID 2600 wrote to memory of 2012 2600 Cpdhna32.exe 35 PID 2600 wrote to memory of 2012 2600 Cpdhna32.exe 35 PID 2012 wrote to memory of 2960 2012 Cccdjl32.exe 36 PID 2012 wrote to memory of 2960 2012 Cccdjl32.exe 36 PID 2012 wrote to memory of 2960 2012 Cccdjl32.exe 36 PID 2012 wrote to memory of 2960 2012 Cccdjl32.exe 36 PID 2960 wrote to memory of 1016 2960 Cpiaipmh.exe 37 PID 2960 wrote to memory of 1016 2960 Cpiaipmh.exe 37 PID 2960 wrote to memory of 1016 2960 Cpiaipmh.exe 37 PID 2960 wrote to memory of 1016 2960 Cpiaipmh.exe 37 PID 1016 wrote to memory of 2920 1016 Donojm32.exe 38 PID 1016 wrote to memory of 2920 1016 Donojm32.exe 38 PID 1016 wrote to memory of 2920 1016 Donojm32.exe 38 PID 1016 wrote to memory of 2920 1016 Donojm32.exe 38 PID 2920 wrote to memory of 2972 2920 Ddkgbc32.exe 39 PID 2920 wrote to memory of 2972 2920 Ddkgbc32.exe 39 PID 2920 wrote to memory of 2972 2920 Ddkgbc32.exe 39 PID 2920 wrote to memory of 2972 2920 Ddkgbc32.exe 39 PID 2972 wrote to memory of 2944 2972 Dkeoongd.exe 40 PID 2972 wrote to memory of 2944 2972 Dkeoongd.exe 40 PID 2972 wrote to memory of 2944 2972 Dkeoongd.exe 40 PID 2972 wrote to memory of 2944 2972 Dkeoongd.exe 40 PID 2944 wrote to memory of 1216 2944 Dkgldm32.exe 41 PID 2944 wrote to memory of 1216 2944 Dkgldm32.exe 41 PID 2944 wrote to memory of 1216 2944 Dkgldm32.exe 41 PID 2944 wrote to memory of 1216 2944 Dkgldm32.exe 41 PID 1216 wrote to memory of 1020 1216 Djoeki32.exe 42 PID 1216 wrote to memory of 1020 1216 Djoeki32.exe 42 PID 1216 wrote to memory of 1020 1216 Djoeki32.exe 42 PID 1216 wrote to memory of 1020 1216 Djoeki32.exe 42 PID 1020 wrote to memory of 2172 1020 Dqinhcoc.exe 43 PID 1020 wrote to memory of 2172 1020 Dqinhcoc.exe 43 PID 1020 wrote to memory of 2172 1020 Dqinhcoc.exe 43 PID 1020 wrote to memory of 2172 1020 Dqinhcoc.exe 43 PID 2172 wrote to memory of 1296 2172 Ecgjdong.exe 44 PID 2172 wrote to memory of 1296 2172 Ecgjdong.exe 44 PID 2172 wrote to memory of 1296 2172 Ecgjdong.exe 44 PID 2172 wrote to memory of 1296 2172 Ecgjdong.exe 44 PID 1296 wrote to memory of 1028 1296 Eqkjmcmq.exe 45 PID 1296 wrote to memory of 1028 1296 Eqkjmcmq.exe 45 PID 1296 wrote to memory of 1028 1296 Eqkjmcmq.exe 45 PID 1296 wrote to memory of 1028 1296 Eqkjmcmq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe"C:\Users\Admin\AppData\Local\Temp\c6b2d8c3ef733cabeb47f0f137568075a9979a08708f19163d9a6abbe3e7599c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe36⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe40⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe49⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe51⤵PID:2696
-
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe55⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe56⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe57⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe60⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe62⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe64⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe67⤵PID:2152
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe68⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:648 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe71⤵PID:348
-
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe72⤵PID:812
-
C:\Windows\SysWOW64\Kcajceke.exeC:\Windows\system32\Kcajceke.exe73⤵PID:1564
-
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe75⤵PID:2820
-
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe77⤵PID:2568
-
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe78⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe80⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe82⤵PID:372
-
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe84⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe85⤵PID:2872
-
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe90⤵PID:964
-
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe91⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe92⤵PID:1440
-
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe93⤵
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe94⤵PID:568
-
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe96⤵PID:2792
-
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe98⤵PID:2392
-
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe100⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe103⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe104⤵PID:2904
-
C:\Windows\SysWOW64\Momapqgn.exeC:\Windows\system32\Momapqgn.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe108⤵PID:2124
-
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe110⤵PID:1664
-
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe112⤵PID:280
-
C:\Windows\SysWOW64\Mlgkbi32.exeC:\Windows\system32\Mlgkbi32.exe113⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Mgmoob32.exeC:\Windows\system32\Mgmoob32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe116⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe118⤵PID:2076
-
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe119⤵PID:2976
-
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-