Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7dc0b839caf8f8400b0e8e60721e8940N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7dc0b839caf8f8400b0e8e60721e8940N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
7dc0b839caf8f8400b0e8e60721e8940N.exe
-
Size
790KB
-
MD5
7dc0b839caf8f8400b0e8e60721e8940
-
SHA1
70c53e3067f7c328184768c1609d8167dddd6bfc
-
SHA256
907c4a793fe3c231f40a74b3587641c926427a0452314bebfe6c1ea866328c20
-
SHA512
096de98938cbbb618194655e63dd06d2decd79cd7c3b893e5f4ac15ca351277407e51a4c90f3480e3512e88f4771bf70540235885c3a619488a6442be93e2469
-
SSDEEP
12288:dauFB24lwR4P87g7/VycgE81lgxaa79y:daWPqoIlg17o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agjmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqddmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjeglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfknhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkndhabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdldnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmbqgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heikgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endklmlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onfoin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeoidik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omhkcnfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoomflpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpqlemaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmopa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phcpgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ochcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klmbjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhplhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdegfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nldahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmglajcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daacecfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchdpbog.exe -
Executes dropped EXE 64 IoCs
pid Process 2788 Iggned32.exe 2164 Ippbnjni.exe 1776 Jcedkd32.exe 2632 Jkbfdfbm.exe 1052 Kkgopf32.exe 272 Knekla32.exe 264 Knmamp32.exe 2480 Lmdkcl32.exe 2796 Lbcpac32.exe 788 Mcifdj32.exe 2044 Mamgmofp.exe 1100 Mdbiji32.exe 2448 Nmkncofl.exe 2976 Nledoj32.exe 696 Ogqaehak.exe 896 Olbchn32.exe 1764 Oifdbb32.exe 1536 Phnnho32.exe 1968 Pkljdj32.exe 888 Pojbkh32.exe 1664 Pahogc32.exe 3008 Pgegok32.exe 348 Pqnlhpfb.exe 1528 Pdldnomh.exe 1836 Qgjqjjll.exe 2852 Qfonkfqd.exe 2736 Qinjgbpg.exe 2828 Acekjjmk.exe 2752 Aibcba32.exe 2744 Aoohekal.exe 2476 Agjmim32.exe 2272 Aababceh.exe 2676 Ajjfkh32.exe 1304 Bmibgd32.exe 1680 Bmkomchi.exe 2880 Bgqcjlhp.exe 2136 Bbjdjjdn.exe 1280 Bcjqdmla.exe 2364 Bigimdjh.exe 2208 Cofnjj32.exe 2464 Cadjgf32.exe 1696 Cdecha32.exe 448 Cllkin32.exe 1368 Ckolek32.exe 1856 Chcloo32.exe 1200 Ckahkk32.exe 2400 Cdjmcpnl.exe 2060 Cheido32.exe 988 Cmbalfem.exe 876 Dbojdmcd.exe 2776 Ddnfop32.exe 2340 Dgmbkk32.exe 2840 Dcccpl32.exe 2908 Dhplhc32.exe 2628 Dcfpel32.exe 608 Domqjm32.exe 1524 Ddiibc32.exe 2912 Elqaca32.exe 3028 Eeielfhk.exe 812 Endjaief.exe 1756 Ednbncmb.exe 2104 Ehjona32.exe 1316 Epecbd32.exe 1032 Ejmhkiig.exe -
Loads dropped DLL 64 IoCs
pid Process 2724 7dc0b839caf8f8400b0e8e60721e8940N.exe 2724 7dc0b839caf8f8400b0e8e60721e8940N.exe 2788 Iggned32.exe 2788 Iggned32.exe 2164 Ippbnjni.exe 2164 Ippbnjni.exe 1776 Jcedkd32.exe 1776 Jcedkd32.exe 2632 Jkbfdfbm.exe 2632 Jkbfdfbm.exe 1052 Kkgopf32.exe 1052 Kkgopf32.exe 272 Knekla32.exe 272 Knekla32.exe 264 Knmamp32.exe 264 Knmamp32.exe 2480 Lmdkcl32.exe 2480 Lmdkcl32.exe 2796 Lbcpac32.exe 2796 Lbcpac32.exe 788 Mcifdj32.exe 788 Mcifdj32.exe 2044 Mamgmofp.exe 2044 Mamgmofp.exe 1100 Mdbiji32.exe 1100 Mdbiji32.exe 2448 Nmkncofl.exe 2448 Nmkncofl.exe 2976 Nledoj32.exe 2976 Nledoj32.exe 696 Ogqaehak.exe 696 Ogqaehak.exe 896 Olbchn32.exe 896 Olbchn32.exe 1764 Oifdbb32.exe 1764 Oifdbb32.exe 1536 Phnnho32.exe 1536 Phnnho32.exe 1968 Pkljdj32.exe 1968 Pkljdj32.exe 888 Pojbkh32.exe 888 Pojbkh32.exe 1664 Pahogc32.exe 1664 Pahogc32.exe 3008 Pgegok32.exe 3008 Pgegok32.exe 348 Pqnlhpfb.exe 348 Pqnlhpfb.exe 1528 Pdldnomh.exe 1528 Pdldnomh.exe 1836 Qgjqjjll.exe 1836 Qgjqjjll.exe 2852 Qfonkfqd.exe 2852 Qfonkfqd.exe 2736 Qinjgbpg.exe 2736 Qinjgbpg.exe 2828 Acekjjmk.exe 2828 Acekjjmk.exe 2752 Aibcba32.exe 2752 Aibcba32.exe 2744 Aoohekal.exe 2744 Aoohekal.exe 2476 Agjmim32.exe 2476 Agjmim32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe Qoeamo32.exe File opened for modification C:\Windows\SysWOW64\Nfoghakb.exe Njhfcp32.exe File created C:\Windows\SysWOW64\Gdnibjgk.dll Dcllbhdn.exe File created C:\Windows\SysWOW64\Doabjbci.exe Dcjaeamd.exe File opened for modification C:\Windows\SysWOW64\Ijlaloaf.exe Inepgn32.exe File created C:\Windows\SysWOW64\Jfmacf32.dll Hlafnbal.exe File created C:\Windows\SysWOW64\Gkepinpk.dll Jlhhndno.exe File created C:\Windows\SysWOW64\Hjjpmh32.dll Ooicid32.exe File created C:\Windows\SysWOW64\Qkfocaki.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Eoblnd32.exe Elcpbigl.exe File created C:\Windows\SysWOW64\Ioooiack.exe Iplnnd32.exe File opened for modification C:\Windows\SysWOW64\Nmqpam32.exe Njbdea32.exe File created C:\Windows\SysWOW64\Cmmagpef.exe Ccdmnj32.exe File opened for modification C:\Windows\SysWOW64\Aoaill32.exe Aeiecfga.exe File opened for modification C:\Windows\SysWOW64\Bcjqdmla.exe Bbjdjjdn.exe File created C:\Windows\SysWOW64\Aqjdgmgd.exe Anlhkbhq.exe File created C:\Windows\SysWOW64\Dghccddl.dll Jieaofmp.exe File created C:\Windows\SysWOW64\Aoomflpd.exe Aaklmhak.exe File created C:\Windows\SysWOW64\Dfkclf32.exe Dkeoongd.exe File created C:\Windows\SysWOW64\Nledoj32.exe Nmkncofl.exe File created C:\Windows\SysWOW64\Lbafdlod.exe Lldmleam.exe File created C:\Windows\SysWOW64\Imgnjb32.exe Ijibng32.exe File created C:\Windows\SysWOW64\Hdbnfqia.dll Pljcllqe.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Dcbnpgkh.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Aqjdgmgd.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mneohj32.exe File created C:\Windows\SysWOW64\Ncnngfna.exe Nhgnaehm.exe File created C:\Windows\SysWOW64\Dcbnpgkh.exe Dlgjldnm.exe File created C:\Windows\SysWOW64\Oopqjabc.dll Liipnb32.exe File opened for modification C:\Windows\SysWOW64\Cofnjj32.exe Bigimdjh.exe File created C:\Windows\SysWOW64\Klhemhpk.exe Kpadhg32.exe File opened for modification C:\Windows\SysWOW64\Lkbmbl32.exe Klmqapci.exe File opened for modification C:\Windows\SysWOW64\Kapohbfp.exe Kjeglh32.exe File opened for modification C:\Windows\SysWOW64\Ojmbgh32.exe Omiand32.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Mndhnd32.exe Mgjpaj32.exe File opened for modification C:\Windows\SysWOW64\Mndmoaog.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Eldhjg32.dll Hieiqo32.exe File opened for modification C:\Windows\SysWOW64\Jefpeh32.exe Jioopgef.exe File created C:\Windows\SysWOW64\Ocjpkm32.exe Offpbi32.exe File created C:\Windows\SysWOW64\Anecfgdc.exe Qhkkim32.exe File created C:\Windows\SysWOW64\Kdcgnide.dll Gnmifk32.exe File created C:\Windows\SysWOW64\Ocaeoe32.dll Iinmfk32.exe File opened for modification C:\Windows\SysWOW64\Mainndaq.exe Mkofaj32.exe File created C:\Windows\SysWOW64\Omjefg32.dll Fbpclofe.exe File opened for modification C:\Windows\SysWOW64\Gdcmig32.exe Flhhed32.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Pdppqbkn.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Dklepmal.exe Dcemnopj.exe File opened for modification C:\Windows\SysWOW64\Lpqlemaj.exe Lghgmg32.exe File created C:\Windows\SysWOW64\Aeiecfga.exe Aoomflpd.exe File opened for modification C:\Windows\SysWOW64\Dcemnopj.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Ejmhkiig.exe Epecbd32.exe File created C:\Windows\SysWOW64\Olpilg32.exe Opihgfop.exe File opened for modification C:\Windows\SysWOW64\Eopphehb.exe Eibgpnjk.exe File created C:\Windows\SysWOW64\Doiddc32.dll Iplnnd32.exe File created C:\Windows\SysWOW64\Pcdhbgoc.dll Cmjdaqgi.exe File created C:\Windows\SysWOW64\Qqfkbadh.dll Lkjjma32.exe File opened for modification C:\Windows\SysWOW64\Khadpa32.exe Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Qinjgbpg.exe Qfonkfqd.exe File opened for modification C:\Windows\SysWOW64\Endjaief.exe Eeielfhk.exe File created C:\Windows\SysWOW64\Gnfnae32.dll Mmgfqh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2740 4364 WerFault.exe 836 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeqopcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgoboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkoeoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqklqhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcngenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimmjffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgopf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeehmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoaill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omefkplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckahkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glchpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcccpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipomlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdibkam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjlebjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoqqflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acekjjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqhdmbc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobmnf32.dll" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakfkb32.dll" Offpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agngji32.dll" Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpdghaq.dll" Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocjpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkadjjcg.dll" Flhhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnifncd.dll" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikidod32.dll" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljdnm32.dll" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Olpilg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoohekal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjoffbmm.dll" Eqjmncna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgneo32.dll" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnglnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpebidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggnickaj.dll" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpifad32.dll" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnklgkap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfpmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaqnkafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paiaplin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jggoqimd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eblelb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kijmbnpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll" Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkfclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfffifgk.dll" Ipomlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhknil32.dll" Dghjkpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfekec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anecfgdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flhmfbim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2788 2724 7dc0b839caf8f8400b0e8e60721e8940N.exe 30 PID 2724 wrote to memory of 2788 2724 7dc0b839caf8f8400b0e8e60721e8940N.exe 30 PID 2724 wrote to memory of 2788 2724 7dc0b839caf8f8400b0e8e60721e8940N.exe 30 PID 2724 wrote to memory of 2788 2724 7dc0b839caf8f8400b0e8e60721e8940N.exe 30 PID 2788 wrote to memory of 2164 2788 Iggned32.exe 31 PID 2788 wrote to memory of 2164 2788 Iggned32.exe 31 PID 2788 wrote to memory of 2164 2788 Iggned32.exe 31 PID 2788 wrote to memory of 2164 2788 Iggned32.exe 31 PID 2164 wrote to memory of 1776 2164 Ippbnjni.exe 32 PID 2164 wrote to memory of 1776 2164 Ippbnjni.exe 32 PID 2164 wrote to memory of 1776 2164 Ippbnjni.exe 32 PID 2164 wrote to memory of 1776 2164 Ippbnjni.exe 32 PID 1776 wrote to memory of 2632 1776 Jcedkd32.exe 33 PID 1776 wrote to memory of 2632 1776 Jcedkd32.exe 33 PID 1776 wrote to memory of 2632 1776 Jcedkd32.exe 33 PID 1776 wrote to memory of 2632 1776 Jcedkd32.exe 33 PID 2632 wrote to memory of 1052 2632 Jkbfdfbm.exe 34 PID 2632 wrote to memory of 1052 2632 Jkbfdfbm.exe 34 PID 2632 wrote to memory of 1052 2632 Jkbfdfbm.exe 34 PID 2632 wrote to memory of 1052 2632 Jkbfdfbm.exe 34 PID 1052 wrote to memory of 272 1052 Kkgopf32.exe 35 PID 1052 wrote to memory of 272 1052 Kkgopf32.exe 35 PID 1052 wrote to memory of 272 1052 Kkgopf32.exe 35 PID 1052 wrote to memory of 272 1052 Kkgopf32.exe 35 PID 272 wrote to memory of 264 272 Knekla32.exe 36 PID 272 wrote to memory of 264 272 Knekla32.exe 36 PID 272 wrote to memory of 264 272 Knekla32.exe 36 PID 272 wrote to memory of 264 272 Knekla32.exe 36 PID 264 wrote to memory of 2480 264 Knmamp32.exe 37 PID 264 wrote to memory of 2480 264 Knmamp32.exe 37 PID 264 wrote to memory of 2480 264 Knmamp32.exe 37 PID 264 wrote to memory of 2480 264 Knmamp32.exe 37 PID 2480 wrote to memory of 2796 2480 Lmdkcl32.exe 38 PID 2480 wrote to memory of 2796 2480 Lmdkcl32.exe 38 PID 2480 wrote to memory of 2796 2480 Lmdkcl32.exe 38 PID 2480 wrote to memory of 2796 2480 Lmdkcl32.exe 38 PID 2796 wrote to memory of 788 2796 Lbcpac32.exe 39 PID 2796 wrote to memory of 788 2796 Lbcpac32.exe 39 PID 2796 wrote to memory of 788 2796 Lbcpac32.exe 39 PID 2796 wrote to memory of 788 2796 Lbcpac32.exe 39 PID 788 wrote to memory of 2044 788 Mcifdj32.exe 40 PID 788 wrote to memory of 2044 788 Mcifdj32.exe 40 PID 788 wrote to memory of 2044 788 Mcifdj32.exe 40 PID 788 wrote to memory of 2044 788 Mcifdj32.exe 40 PID 2044 wrote to memory of 1100 2044 Mamgmofp.exe 41 PID 2044 wrote to memory of 1100 2044 Mamgmofp.exe 41 PID 2044 wrote to memory of 1100 2044 Mamgmofp.exe 41 PID 2044 wrote to memory of 1100 2044 Mamgmofp.exe 41 PID 1100 wrote to memory of 2448 1100 Mdbiji32.exe 42 PID 1100 wrote to memory of 2448 1100 Mdbiji32.exe 42 PID 1100 wrote to memory of 2448 1100 Mdbiji32.exe 42 PID 1100 wrote to memory of 2448 1100 Mdbiji32.exe 42 PID 2448 wrote to memory of 2976 2448 Nmkncofl.exe 43 PID 2448 wrote to memory of 2976 2448 Nmkncofl.exe 43 PID 2448 wrote to memory of 2976 2448 Nmkncofl.exe 43 PID 2448 wrote to memory of 2976 2448 Nmkncofl.exe 43 PID 2976 wrote to memory of 696 2976 Nledoj32.exe 44 PID 2976 wrote to memory of 696 2976 Nledoj32.exe 44 PID 2976 wrote to memory of 696 2976 Nledoj32.exe 44 PID 2976 wrote to memory of 696 2976 Nledoj32.exe 44 PID 696 wrote to memory of 896 696 Ogqaehak.exe 45 PID 696 wrote to memory of 896 696 Ogqaehak.exe 45 PID 696 wrote to memory of 896 696 Ogqaehak.exe 45 PID 696 wrote to memory of 896 696 Ogqaehak.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dc0b839caf8f8400b0e8e60721e8940N.exe"C:\Users\Admin\AppData\Local\Temp\7dc0b839caf8f8400b0e8e60721e8940N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe33⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe34⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe36⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe37⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe39⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe41⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe42⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe43⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe44⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe45⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe46⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe48⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe50⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe51⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe53⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe56⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe57⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe58⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe61⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe62⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe66⤵PID:992
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe67⤵PID:1400
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe68⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe69⤵PID:2324
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe70⤵PID:2200
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe71⤵PID:2996
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe73⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe74⤵PID:2748
-
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe75⤵PID:2596
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe76⤵PID:2896
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe77⤵PID:2640
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe78⤵PID:2680
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe79⤵PID:624
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe80⤵PID:580
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe81⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe82⤵PID:1244
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe84⤵PID:1692
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe85⤵PID:1704
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe86⤵PID:2868
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe88⤵PID:2944
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe90⤵PID:2652
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe91⤵PID:2668
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe92⤵PID:3032
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe94⤵PID:1092
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe95⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe97⤵PID:1616
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe98⤵PID:1164
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe101⤵PID:2120
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe102⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe103⤵PID:2704
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe105⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe106⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe107⤵PID:2904
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe108⤵PID:1152
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe109⤵PID:756
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe110⤵PID:2080
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe111⤵PID:2224
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe112⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe113⤵PID:1924
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe114⤵
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe115⤵PID:352
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe116⤵PID:2696
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe117⤵PID:1320
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe118⤵PID:2348
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe120⤵PID:1284
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe121⤵
- Modifies registry class
PID:800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-