Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 18:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe
-
Size
768KB
-
MD5
84fdf3f1138089ccf240cfb300c5702b
-
SHA1
ca0645e454757f3b3cf9a02956975063dd767789
-
SHA256
022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc
-
SHA512
4f0f59410653d343b4d8d4e03eea79c412cd7113a28b5cb25ad7e6b943108bf2ce8e4d31efed69083598e59e4de235e2bacd7b1fd3e0664753c0bf4ab07117b2
-
SSDEEP
12288:9Pgvf6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGJ:R0q5h3q5htaSHFaZRBEYyqmaf2qwiHPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkiiom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckpba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djkodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elaego32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpohb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmknko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingmoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afngoand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgqlkdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofehiocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocglmcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjpdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djkodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfmdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpohb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enjand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpakdbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcljlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpakdbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofehiocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nokdnail.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmlfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpedmhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdmogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdoaackf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjpncii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemhpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Majdkifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dclgbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaiobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffcbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmhcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbffj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe -
Executes dropped EXE 64 IoCs
pid Process 2396 Dhmchljg.exe 612 Djkodg32.exe 2868 Elaego32.exe 2832 Eoanij32.exe 2944 Efifjg32.exe 2588 Fofhdidp.exe 2980 Foidii32.exe 2412 Fdemap32.exe 1716 Fkpeojha.exe 1060 Faimkd32.exe 1176 Gdophn32.exe 1632 Gaiijgbi.exe 1200 Gjpakdbl.exe 2380 Hdolga32.exe 2444 Hgmhcm32.exe 2016 Hjpnjheg.exe 980 Hnljkf32.exe 1916 Ifikehii.exe 2384 Iihgadhl.exe 1572 Ikfdmogp.exe 944 Ibplji32.exe 940 Iodlcnmf.exe 2324 Ingmoj32.exe 1992 Ifndph32.exe 876 Iofiimkd.exe 1740 Iniidj32.exe 1752 Iionacad.exe 2776 Jchobqnc.exe 3036 Jkpfcnoe.exe 2004 Jjbgok32.exe 1792 Jckkhplq.exe 2636 Jjdcdjcm.exe 2984 Jgidnobg.exe 2812 Jjgpjjak.exe 3020 Jfnaok32.exe 2908 Jbdadl32.exe 2972 Jfpndkel.exe 1980 Kbgnil32.exe 1036 Kfbjjjci.exe 2960 Kbikokin.exe 1652 Kblhdkgk.exe 1556 Kejdqffo.exe 840 Kkglim32.exe 2056 Kmeiei32.exe 1568 Kdoaackf.exe 996 Kkiiom32.exe 2488 Koeeoljm.exe 788 Lhmjha32.exe 1044 Lgpjcnhh.exe 3068 Linfpi32.exe 2284 Lbgkhoml.exe 2200 Liqcei32.exe 2696 Llooad32.exe 2808 Lcignoki.exe 2836 Legcjjjm.exe 2880 Lpmhgc32.exe 1780 Lckdcn32.exe 3008 Lejppj32.exe 2936 Laqadknn.exe 2920 Mlfebcnd.exe 2020 Meojkide.exe 1496 Mognco32.exe 1320 Meafpibb.exe 2532 Moikinib.exe -
Loads dropped DLL 64 IoCs
pid Process 2280 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe 2280 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe 2396 Dhmchljg.exe 2396 Dhmchljg.exe 612 Djkodg32.exe 612 Djkodg32.exe 2868 Elaego32.exe 2868 Elaego32.exe 2832 Eoanij32.exe 2832 Eoanij32.exe 2944 Efifjg32.exe 2944 Efifjg32.exe 2588 Fofhdidp.exe 2588 Fofhdidp.exe 2980 Foidii32.exe 2980 Foidii32.exe 2412 Fdemap32.exe 2412 Fdemap32.exe 1716 Fkpeojha.exe 1716 Fkpeojha.exe 1060 Faimkd32.exe 1060 Faimkd32.exe 1176 Gdophn32.exe 1176 Gdophn32.exe 1632 Gaiijgbi.exe 1632 Gaiijgbi.exe 1200 Gjpakdbl.exe 1200 Gjpakdbl.exe 2380 Hdolga32.exe 2380 Hdolga32.exe 2444 Hgmhcm32.exe 2444 Hgmhcm32.exe 2016 Hjpnjheg.exe 2016 Hjpnjheg.exe 980 Hnljkf32.exe 980 Hnljkf32.exe 1916 Ifikehii.exe 1916 Ifikehii.exe 2384 Iihgadhl.exe 2384 Iihgadhl.exe 1572 Ikfdmogp.exe 1572 Ikfdmogp.exe 944 Ibplji32.exe 944 Ibplji32.exe 940 Iodlcnmf.exe 940 Iodlcnmf.exe 2324 Ingmoj32.exe 2324 Ingmoj32.exe 1992 Ifndph32.exe 1992 Ifndph32.exe 876 Iofiimkd.exe 876 Iofiimkd.exe 1740 Iniidj32.exe 1740 Iniidj32.exe 1752 Iionacad.exe 1752 Iionacad.exe 2776 Jchobqnc.exe 2776 Jchobqnc.exe 3036 Jkpfcnoe.exe 3036 Jkpfcnoe.exe 2004 Jjbgok32.exe 2004 Jjbgok32.exe 1792 Jckkhplq.exe 1792 Jckkhplq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Joceen32.dll Lpmhgc32.exe File created C:\Windows\SysWOW64\Iknnie32.dll Peakkj32.exe File opened for modification C:\Windows\SysWOW64\Aijgemok.exe Abpohb32.exe File created C:\Windows\SysWOW64\Glhkoaij.dll Bgqqcd32.exe File created C:\Windows\SysWOW64\Cgcmiclk.exe Colegflh.exe File created C:\Windows\SysWOW64\Ghplofkf.dll Jfnaok32.exe File created C:\Windows\SysWOW64\Nogjbbma.exe Nhmbfhfd.exe File created C:\Windows\SysWOW64\Pciiccbm.exe Plbaafak.exe File created C:\Windows\SysWOW64\Alfmndaq.dll Ifikehii.exe File opened for modification C:\Windows\SysWOW64\Jjdcdjcm.exe Jckkhplq.exe File opened for modification C:\Windows\SysWOW64\Ncbfcq32.exe Nogjbbma.exe File opened for modification C:\Windows\SysWOW64\Qechqj32.exe Pnjpdphd.exe File opened for modification C:\Windows\SysWOW64\Afjncabj.exe Adkbgf32.exe File created C:\Windows\SysWOW64\Mkpaaa32.dll Diklpn32.exe File created C:\Windows\SysWOW64\Dmhocf32.dll Elpnmhgh.exe File created C:\Windows\SysWOW64\Efllcf32.exe Ecnpgj32.exe File opened for modification C:\Windows\SysWOW64\Ikfdmogp.exe Iihgadhl.exe File created C:\Windows\SysWOW64\Jjngil32.dll Lhmjha32.exe File opened for modification C:\Windows\SysWOW64\Nfcoel32.exe Nbgcdmjb.exe File created C:\Windows\SysWOW64\Nqkkea32.dll Qfedhb32.exe File created C:\Windows\SysWOW64\Blpibghg.exe Aefaemqj.exe File created C:\Windows\SysWOW64\Bgqqcd32.exe Bdbdgh32.exe File created C:\Windows\SysWOW64\Cnekcblk.exe Cobkhe32.exe File created C:\Windows\SysWOW64\Dqknqleg.exe Dnmada32.exe File created C:\Windows\SysWOW64\Iiicjf32.dll Iodlcnmf.exe File opened for modification C:\Windows\SysWOW64\Fhgkqmph.exe Fbjchfaq.exe File opened for modification C:\Windows\SysWOW64\Gjpakdbl.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Cejnde32.dll Hjpnjheg.exe File opened for modification C:\Windows\SysWOW64\Ifikehii.exe Hnljkf32.exe File opened for modification C:\Windows\SysWOW64\Kfbjjjci.exe Kbgnil32.exe File created C:\Windows\SysWOW64\Eepjmp32.dll Kkglim32.exe File created C:\Windows\SysWOW64\Djdkcf32.dll Lcignoki.exe File created C:\Windows\SysWOW64\Gdnpak32.dll Clbbfj32.exe File created C:\Windows\SysWOW64\Faimkd32.exe Fkpeojha.exe File created C:\Windows\SysWOW64\Epjlaj32.dll Efaiobkc.exe File created C:\Windows\SysWOW64\Jchobqnc.exe Iionacad.exe File created C:\Windows\SysWOW64\Mjhlmifm.dll Jfpndkel.exe File created C:\Windows\SysWOW64\Biqghigf.dll Lbgkhoml.exe File opened for modification C:\Windows\SysWOW64\Lcignoki.exe Llooad32.exe File created C:\Windows\SysWOW64\Djaedbnj.exe Dgbiggof.exe File created C:\Windows\SysWOW64\Dgefmf32.exe Dqknqleg.exe File opened for modification C:\Windows\SysWOW64\Iionacad.exe Iniidj32.exe File opened for modification C:\Windows\SysWOW64\Odjikh32.exe Oblmom32.exe File created C:\Windows\SysWOW64\Oahfnj32.dll Pblinp32.exe File created C:\Windows\SysWOW64\Abehcbci.exe Alkpgh32.exe File opened for modification C:\Windows\SysWOW64\Dgefmf32.exe Dqknqleg.exe File created C:\Windows\SysWOW64\Ingmoj32.exe Iodlcnmf.exe File created C:\Windows\SysWOW64\Bpncbi32.dll Gaiijgbi.exe File created C:\Windows\SysWOW64\Lkfibnjf.dll Pciiccbm.exe File opened for modification C:\Windows\SysWOW64\Alkpgh32.exe Afngoand.exe File created C:\Windows\SysWOW64\Pidggp32.dll Bjomoo32.exe File created C:\Windows\SysWOW64\Hgmhld32.dll Cgcmiclk.exe File created C:\Windows\SysWOW64\Oqmfaebe.dll Dmaoem32.exe File created C:\Windows\SysWOW64\Fplgljbm.exe Fplgljbm.exe File created C:\Windows\SysWOW64\Gojcia32.dll 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe File opened for modification C:\Windows\SysWOW64\Lpmhgc32.exe Legcjjjm.exe File created C:\Windows\SysWOW64\Oahpahel.exe Oiahpkdj.exe File opened for modification C:\Windows\SysWOW64\Chmlfj32.exe Cqfdem32.exe File created C:\Windows\SysWOW64\Ackoccaa.dll Dpedmhfi.exe File created C:\Windows\SysWOW64\Icbjjdmb.dll Ghnaaljp.exe File created C:\Windows\SysWOW64\Jjdcdjcm.exe Jckkhplq.exe File opened for modification C:\Windows\SysWOW64\Nfnfjmgp.exe Nqamaeii.exe File created C:\Windows\SysWOW64\Lgfjoqnd.dll Afjncabj.exe File created C:\Windows\SysWOW64\Gmllmn32.dll Bcbhmehg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3816 3796 WerFault.exe 255 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbgak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdophn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdolga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnfjmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaiijgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majdkifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmchljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekpknlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdqlkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakjophb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplgljbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblhdkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdoaackf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkiiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgidnobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpjcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdkajic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbgok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofehiocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpedmhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbbfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbaafak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaiklki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opicgenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckkhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqadknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahgejhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efifjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpiffngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pligbekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgkqmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnaaljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moikinib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahpkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meafpibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjncabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgefmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclgbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniidj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbbbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhljnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpgp32.dll" Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjngil32.dll" Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joceen32.dll" Lpmhgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhkoaij.dll" Bgqqcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glclampi.dll" Dgbiggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdbeqmag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iofiimkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekbip32.dll" Qechqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnifhcei.dll" Dnmada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgefmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecipl32.dll" Ecnpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgqqcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmbqj32.dll" Cnhhia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklgck32.dll" Mckpba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmbmn32.dll" Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomekckd.dll" Alicahno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fabppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnagijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibplji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekgleob.dll" Kbikokin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmqgqif.dll" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llooad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahpahel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnkj32.dll" Aefaemqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpmbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lendnaic.dll" Lejppj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbbbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpedmhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmocok32.dll" Egbffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iihgadhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbgok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkklflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfcoel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclgbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqoqlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebcqicem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodbcjid.dll" Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biehcmhh.dll" Conbmfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnkma32.dll" Oahpahel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbeon32.dll" Dpbgghhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfnaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbhmehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbdgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdqeq32.dll" Eakjophb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgmka32.dll" Ibplji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfmdigd.dll" Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifelfni.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2396 2280 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe 29 PID 2280 wrote to memory of 2396 2280 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe 29 PID 2280 wrote to memory of 2396 2280 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe 29 PID 2280 wrote to memory of 2396 2280 022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe 29 PID 2396 wrote to memory of 612 2396 Dhmchljg.exe 30 PID 2396 wrote to memory of 612 2396 Dhmchljg.exe 30 PID 2396 wrote to memory of 612 2396 Dhmchljg.exe 30 PID 2396 wrote to memory of 612 2396 Dhmchljg.exe 30 PID 612 wrote to memory of 2868 612 Djkodg32.exe 31 PID 612 wrote to memory of 2868 612 Djkodg32.exe 31 PID 612 wrote to memory of 2868 612 Djkodg32.exe 31 PID 612 wrote to memory of 2868 612 Djkodg32.exe 31 PID 2868 wrote to memory of 2832 2868 Elaego32.exe 32 PID 2868 wrote to memory of 2832 2868 Elaego32.exe 32 PID 2868 wrote to memory of 2832 2868 Elaego32.exe 32 PID 2868 wrote to memory of 2832 2868 Elaego32.exe 32 PID 2832 wrote to memory of 2944 2832 Eoanij32.exe 33 PID 2832 wrote to memory of 2944 2832 Eoanij32.exe 33 PID 2832 wrote to memory of 2944 2832 Eoanij32.exe 33 PID 2832 wrote to memory of 2944 2832 Eoanij32.exe 33 PID 2944 wrote to memory of 2588 2944 Efifjg32.exe 34 PID 2944 wrote to memory of 2588 2944 Efifjg32.exe 34 PID 2944 wrote to memory of 2588 2944 Efifjg32.exe 34 PID 2944 wrote to memory of 2588 2944 Efifjg32.exe 34 PID 2588 wrote to memory of 2980 2588 Fofhdidp.exe 35 PID 2588 wrote to memory of 2980 2588 Fofhdidp.exe 35 PID 2588 wrote to memory of 2980 2588 Fofhdidp.exe 35 PID 2588 wrote to memory of 2980 2588 Fofhdidp.exe 35 PID 2980 wrote to memory of 2412 2980 Foidii32.exe 36 PID 2980 wrote to memory of 2412 2980 Foidii32.exe 36 PID 2980 wrote to memory of 2412 2980 Foidii32.exe 36 PID 2980 wrote to memory of 2412 2980 Foidii32.exe 36 PID 2412 wrote to memory of 1716 2412 Fdemap32.exe 37 PID 2412 wrote to memory of 1716 2412 Fdemap32.exe 37 PID 2412 wrote to memory of 1716 2412 Fdemap32.exe 37 PID 2412 wrote to memory of 1716 2412 Fdemap32.exe 37 PID 1716 wrote to memory of 1060 1716 Fkpeojha.exe 38 PID 1716 wrote to memory of 1060 1716 Fkpeojha.exe 38 PID 1716 wrote to memory of 1060 1716 Fkpeojha.exe 38 PID 1716 wrote to memory of 1060 1716 Fkpeojha.exe 38 PID 1060 wrote to memory of 1176 1060 Faimkd32.exe 39 PID 1060 wrote to memory of 1176 1060 Faimkd32.exe 39 PID 1060 wrote to memory of 1176 1060 Faimkd32.exe 39 PID 1060 wrote to memory of 1176 1060 Faimkd32.exe 39 PID 1176 wrote to memory of 1632 1176 Gdophn32.exe 40 PID 1176 wrote to memory of 1632 1176 Gdophn32.exe 40 PID 1176 wrote to memory of 1632 1176 Gdophn32.exe 40 PID 1176 wrote to memory of 1632 1176 Gdophn32.exe 40 PID 1632 wrote to memory of 1200 1632 Gaiijgbi.exe 41 PID 1632 wrote to memory of 1200 1632 Gaiijgbi.exe 41 PID 1632 wrote to memory of 1200 1632 Gaiijgbi.exe 41 PID 1632 wrote to memory of 1200 1632 Gaiijgbi.exe 41 PID 1200 wrote to memory of 2380 1200 Gjpakdbl.exe 42 PID 1200 wrote to memory of 2380 1200 Gjpakdbl.exe 42 PID 1200 wrote to memory of 2380 1200 Gjpakdbl.exe 42 PID 1200 wrote to memory of 2380 1200 Gjpakdbl.exe 42 PID 2380 wrote to memory of 2444 2380 Hdolga32.exe 43 PID 2380 wrote to memory of 2444 2380 Hdolga32.exe 43 PID 2380 wrote to memory of 2444 2380 Hdolga32.exe 43 PID 2380 wrote to memory of 2444 2380 Hdolga32.exe 43 PID 2444 wrote to memory of 2016 2444 Hgmhcm32.exe 44 PID 2444 wrote to memory of 2016 2444 Hgmhcm32.exe 44 PID 2444 wrote to memory of 2016 2444 Hgmhcm32.exe 44 PID 2444 wrote to memory of 2016 2444 Hgmhcm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe"C:\Users\Admin\AppData\Local\Temp\022ba7b5010cd1d7b9db1bb9a22b5f4c166bf1c72444e5862777acb69313cfdc.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Gjpakdbl.exeC:\Windows\system32\Gjpakdbl.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Jjbgok32.exeC:\Windows\system32\Jjbgok32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe35⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe45⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe48⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Liqcei32.exeC:\Windows\system32\Liqcei32.exe53⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Legcjjjm.exeC:\Windows\system32\Legcjjjm.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Lpmhgc32.exeC:\Windows\system32\Lpmhgc32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lckdcn32.exeC:\Windows\system32\Lckdcn32.exe58⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe61⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe62⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe63⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe66⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:716 -
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe72⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ngiiip32.exeC:\Windows\system32\Ngiiip32.exe73⤵PID:756
-
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe75⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe76⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe77⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe78⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Nmkklflj.exeC:\Windows\system32\Nmkklflj.exe80⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe81⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe82⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe83⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe85⤵PID:920
-
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe86⤵PID:2076
-
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe88⤵PID:2860
-
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Ocpfmd32.exeC:\Windows\system32\Ocpfmd32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Okgnna32.exeC:\Windows\system32\Okgnna32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:504 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe94⤵PID:304
-
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe97⤵PID:1544
-
C:\Windows\SysWOW64\Opicgenj.exeC:\Windows\system32\Opicgenj.exe98⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Oahpahel.exeC:\Windows\system32\Oahpahel.exe100⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe101⤵PID:2856
-
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe105⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe106⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe107⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe108⤵PID:1692
-
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe109⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe111⤵PID:2448
-
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe112⤵PID:2796
-
C:\Windows\SysWOW64\Pligbekc.exeC:\Windows\system32\Pligbekc.exe113⤵
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Peakkj32.exeC:\Windows\system32\Peakkj32.exe114⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe115⤵PID:2500
-
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe117⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe118⤵
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe119⤵PID:2580
-
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-