Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 22:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe
-
Size
288KB
-
MD5
c64cb4b0204d9c987497bc22a78221fd
-
SHA1
7e0b8453bf395b107a608f1621fc7cb04ef08eda
-
SHA256
72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269
-
SHA512
88fab5fc034a55f2685a9365ccf4756bd69288146353347fded3050074e39ed03a861d06ba578a18f9b928f574bcb24197270c24cb004aa91cf4e6795b9143bb
-
SSDEEP
3072:S97z3ldyu3DjGQVT8S3a+LaYthj7ZTNf9Nm2C4smf9vms+CzFW4r2RKihOfr9n:S97DvyPQ6N+uwLN7Rjr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noighakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgihkmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clheeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Janijh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfanjcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkkhckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeameodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnokjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acncngpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhmdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfqpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdfogiil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhknigfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbdce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfedhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qloiqcbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhkkjnmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmegbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panboflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koafcppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecabfpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmdgmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfkjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnajcig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfbcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Minnmomo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbgbngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Genkhidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbaebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodlcnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaqkkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jobnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhlmhgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogqihcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaegha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiflgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhegckpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfqpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabjbdn.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Bkmcni32.exe 1636 Bhqdgm32.exe 2472 Cqqbgoba.exe 2864 Cfpgee32.exe 2880 Dkaihkih.exe 2692 Dlfbck32.exe 2676 Edhmhl32.exe 552 Ebmjihqn.exe 588 Fbbcdh32.exe 2008 Fkpeojha.exe 2328 Fhfbmn32.exe 1564 Ggkoojip.exe 1844 Gaiijgbi.exe 2436 Glajmppm.exe 2400 Hgkknm32.exe 2464 Hnimeg32.exe 932 Ijegeg32.exe 964 Iflhjh32.exe 2168 Iodlcnmf.exe 272 Iniidj32.exe 2116 Jjbgok32.exe 1616 Jfigdl32.exe 2392 Jaahgd32.exe 2128 Jmhile32.exe 1092 Kbgnil32.exe 1648 Kononm32.exe 968 Kjdpcnfi.exe 2720 Kaaeegkc.exe 1608 Kacakgip.exe 2836 Lmlofhmb.exe 2872 Lhhmle32.exe 2660 Lcnqin32.exe 1868 Maejpj32.exe 1996 Moikinib.exe 1116 Mgdpnqfn.exe 2520 Mnqdpj32.exe 2984 Nncaejie.exe 2964 Nlhnfg32.exe 856 Nfqbol32.exe 1528 Noighakn.exe 3036 Nokdnail.exe 532 Nidhfgpl.exe 2528 Oqomkimg.exe 2312 Ojgado32.exe 580 Oemfahcn.exe 624 Omhjejai.exe 1656 Omjgkjof.exe 1492 Ofcldoef.exe 3012 Opkpme32.exe 1304 Picdejbg.exe 2156 Pciiccbm.exe 1584 Pldnge32.exe 2756 Pembpkfi.exe 2852 Pbqbioeb.exe 2624 Phmkaf32.exe 2748 Pafpjljk.exe 2512 Pjndca32.exe 2924 Qfedhb32.exe 2868 Qajiek32.exe 1792 Qfganb32.exe 2452 Appfggjm.exe 2284 Aihjpman.exe 680 Apbblg32.exe 824 Aijgemok.exe -
Loads dropped DLL 64 IoCs
pid Process 2172 72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe 2172 72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe 2712 Bkmcni32.exe 2712 Bkmcni32.exe 1636 Bhqdgm32.exe 1636 Bhqdgm32.exe 2472 Cqqbgoba.exe 2472 Cqqbgoba.exe 2864 Cfpgee32.exe 2864 Cfpgee32.exe 2880 Dkaihkih.exe 2880 Dkaihkih.exe 2692 Dlfbck32.exe 2692 Dlfbck32.exe 2676 Edhmhl32.exe 2676 Edhmhl32.exe 552 Ebmjihqn.exe 552 Ebmjihqn.exe 588 Fbbcdh32.exe 588 Fbbcdh32.exe 2008 Fkpeojha.exe 2008 Fkpeojha.exe 2328 Fhfbmn32.exe 2328 Fhfbmn32.exe 1564 Ggkoojip.exe 1564 Ggkoojip.exe 1844 Gaiijgbi.exe 1844 Gaiijgbi.exe 2436 Glajmppm.exe 2436 Glajmppm.exe 2400 Hgkknm32.exe 2400 Hgkknm32.exe 2464 Hnimeg32.exe 2464 Hnimeg32.exe 932 Ijegeg32.exe 932 Ijegeg32.exe 964 Iflhjh32.exe 964 Iflhjh32.exe 2168 Iodlcnmf.exe 2168 Iodlcnmf.exe 272 Iniidj32.exe 272 Iniidj32.exe 2116 Jjbgok32.exe 2116 Jjbgok32.exe 1616 Jfigdl32.exe 1616 Jfigdl32.exe 2392 Jaahgd32.exe 2392 Jaahgd32.exe 2128 Jmhile32.exe 2128 Jmhile32.exe 1092 Kbgnil32.exe 1092 Kbgnil32.exe 1648 Kononm32.exe 1648 Kononm32.exe 968 Kjdpcnfi.exe 968 Kjdpcnfi.exe 2720 Kaaeegkc.exe 2720 Kaaeegkc.exe 1608 Kacakgip.exe 1608 Kacakgip.exe 2836 Lmlofhmb.exe 2836 Lmlofhmb.exe 2872 Lhhmle32.exe 2872 Lhhmle32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pbfehn32.exe Pjkpckob.exe File opened for modification C:\Windows\SysWOW64\Chafpfqp.exe Boiagp32.exe File opened for modification C:\Windows\SysWOW64\Dhknigfq.exe Docjpa32.exe File opened for modification C:\Windows\SysWOW64\Chldbl32.exe Chigmlml.exe File opened for modification C:\Windows\SysWOW64\Gbpaef32.exe Gigllafc.exe File opened for modification C:\Windows\SysWOW64\Bhqdgm32.exe Bkmcni32.exe File created C:\Windows\SysWOW64\Mbenmb32.dll Glajmppm.exe File created C:\Windows\SysWOW64\Hpkbmemd.dll Kbjmhd32.exe File opened for modification C:\Windows\SysWOW64\Fmnoapba.exe Fqgnmo32.exe File opened for modification C:\Windows\SysWOW64\Pgjgapaa.exe Pghklq32.exe File created C:\Windows\SysWOW64\Lfckko32.exe Lmkgajnm.exe File created C:\Windows\SysWOW64\Imgljkbm.dll Phmkaf32.exe File created C:\Windows\SysWOW64\Hpiaec32.dll Panboflg.exe File created C:\Windows\SysWOW64\Eekpknlf.exe Eckcak32.exe File created C:\Windows\SysWOW64\Obhblkpa.dll Ddgljced.exe File opened for modification C:\Windows\SysWOW64\Gapbbk32.exe Fpnekc32.exe File created C:\Windows\SysWOW64\Ehahglmg.dll Iniidj32.exe File created C:\Windows\SysWOW64\Ooelen32.dll Jhjldiln.exe File created C:\Windows\SysWOW64\Gnlbpman.exe Gecmghkm.exe File created C:\Windows\SysWOW64\Qfchcq32.dll Dlfbck32.exe File created C:\Windows\SysWOW64\Acncngpl.exe Aclfigao.exe File created C:\Windows\SysWOW64\Mhfnlgnk.dll Gadkmj32.exe File opened for modification C:\Windows\SysWOW64\Enjmlgoj.exe Ecdhonoc.exe File created C:\Windows\SysWOW64\Kdpeplpn.dll Hempmfcb.exe File created C:\Windows\SysWOW64\Kolcdahb.exe Kdfogiil.exe File created C:\Windows\SysWOW64\Jocdqc32.exe Jhjldiln.exe File created C:\Windows\SysWOW64\Fjpipkgi.exe Fniikj32.exe File opened for modification C:\Windows\SysWOW64\Edhmhl32.exe Dlfbck32.exe File created C:\Windows\SysWOW64\Biehcmhh.dll Clpeajjb.exe File created C:\Windows\SysWOW64\Hiieqd32.exe Hleegpgb.exe File created C:\Windows\SysWOW64\Gnhlgoia.exe Gadkmj32.exe File created C:\Windows\SysWOW64\Mghgbeni.dll Eemded32.exe File created C:\Windows\SysWOW64\Gmnmce32.dll Ohgnoeii.exe File created C:\Windows\SysWOW64\Nbnajcig.exe Mheqie32.exe File created C:\Windows\SysWOW64\Bpajjmon.exe Bieegcid.exe File opened for modification C:\Windows\SysWOW64\Dfbfcn32.exe Choejien.exe File opened for modification C:\Windows\SysWOW64\Ebkpma32.exe Eickdlcd.exe File created C:\Windows\SysWOW64\Fnbahpke.dll Ghcmedmo.exe File opened for modification C:\Windows\SysWOW64\Nlibhhme.exe Npbbcgga.exe File created C:\Windows\SysWOW64\Jeckce32.dll Nojljcjf.exe File created C:\Windows\SysWOW64\Oiolfo32.exe Olklmk32.exe File created C:\Windows\SysWOW64\Nnlnkk32.dll Pciiccbm.exe File created C:\Windows\SysWOW64\Jkqpfmje.exe Iojoalda.exe File created C:\Windows\SysWOW64\Ooncljom.exe Ohdkop32.exe File created C:\Windows\SysWOW64\Kcjcefbd.exe Kjbnlqld.exe File opened for modification C:\Windows\SysWOW64\Gljfeimi.exe Gpdfph32.exe File created C:\Windows\SysWOW64\Cjmaed32.exe Bccihj32.exe File created C:\Windows\SysWOW64\Pkjcgmjl.dll Gjpodhfi.exe File created C:\Windows\SysWOW64\Qfedhb32.exe Pjndca32.exe File created C:\Windows\SysWOW64\Gpdfph32.exe Gfkagc32.exe File opened for modification C:\Windows\SysWOW64\Jnfbcg32.exe Jabajc32.exe File created C:\Windows\SysWOW64\Abehhc32.dll Apphpp32.exe File created C:\Windows\SysWOW64\Lboeoagk.dll Haldgbkc.exe File created C:\Windows\SysWOW64\Cnbhcl32.exe Ccmcfc32.exe File created C:\Windows\SysWOW64\Bgohhe32.dll Mnhbep32.exe File created C:\Windows\SysWOW64\Bnkpmkkd.dll Kjdpcnfi.exe File opened for modification C:\Windows\SysWOW64\Jffddfjk.exe Jkqpfmje.exe File created C:\Windows\SysWOW64\Dkakad32.exe Dbighojl.exe File created C:\Windows\SysWOW64\Migbkglj.dll Fjjeid32.exe File created C:\Windows\SysWOW64\Adbbfabn.dll Jchjqc32.exe File created C:\Windows\SysWOW64\Dgfkoh32.exe Ddeammok.exe File opened for modification C:\Windows\SysWOW64\Ghihfl32.exe Foacmg32.exe File created C:\Windows\SysWOW64\Pbaebh32.exe Piipibff.exe File created C:\Windows\SysWOW64\Jjbgok32.exe Iniidj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1736 1680 WerFault.exe 545 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpodhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihehbpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclfigao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qloiqcbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekndpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocdqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilianckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqomkimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbnqfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogqihcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghklq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkmbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjmlgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaeegkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkjbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnpcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkgajnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnbjfjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkknm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijegeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmknko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcahga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Campbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcnbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkckneh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafmhcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooncljom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikmkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgqlig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picdejbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkagc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnokjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpeojha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kagkebpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdohnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioefjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaqkkme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihngj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdpnqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbibla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbojk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnjbibf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbcdh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbpjqqq.dll" Ggkoojip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hinlck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefboabg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbllfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edimlq32.dll" Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qembbg32.dll" Eqklhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbabpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hocmbjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apheke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhplfp32.dll" Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfejocnp.dll" Kqijck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpccqd32.dll" Ncellpog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaaqkkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ellfmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nldgdpjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpbdd32.dll" Dihojnqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbnlqld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdieho32.dll" Cqqbgoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogpmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghhngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebmjihqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldnge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chigmlml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgaikep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbdce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmclcjo.dll" Gmhmdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpbilmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obpbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjfbaj32.dll" Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamdpnhj.dll" Idabbpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbccn32.dll" Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokjahgh.dll" Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjkpckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpjjklod.dll" Ebkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmkaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liaenblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlokem32.dll" Phcpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkpjknd.dll" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngfepoaa.dll" Pifcdbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linfjobh.dll" Lkgmdbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eabaeccd.dll" Obpbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niopgljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abcppcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picdejbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbckhmc.dll" Mhgbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chafpfqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laccdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdflhppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Capopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfmdigd.dll" Noighakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hocmbjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclbkjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlddbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fccncknc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2712 2172 72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe 29 PID 2172 wrote to memory of 2712 2172 72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe 29 PID 2172 wrote to memory of 2712 2172 72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe 29 PID 2172 wrote to memory of 2712 2172 72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe 29 PID 2712 wrote to memory of 1636 2712 Bkmcni32.exe 30 PID 2712 wrote to memory of 1636 2712 Bkmcni32.exe 30 PID 2712 wrote to memory of 1636 2712 Bkmcni32.exe 30 PID 2712 wrote to memory of 1636 2712 Bkmcni32.exe 30 PID 1636 wrote to memory of 2472 1636 Bhqdgm32.exe 31 PID 1636 wrote to memory of 2472 1636 Bhqdgm32.exe 31 PID 1636 wrote to memory of 2472 1636 Bhqdgm32.exe 31 PID 1636 wrote to memory of 2472 1636 Bhqdgm32.exe 31 PID 2472 wrote to memory of 2864 2472 Cqqbgoba.exe 32 PID 2472 wrote to memory of 2864 2472 Cqqbgoba.exe 32 PID 2472 wrote to memory of 2864 2472 Cqqbgoba.exe 32 PID 2472 wrote to memory of 2864 2472 Cqqbgoba.exe 32 PID 2864 wrote to memory of 2880 2864 Cfpgee32.exe 33 PID 2864 wrote to memory of 2880 2864 Cfpgee32.exe 33 PID 2864 wrote to memory of 2880 2864 Cfpgee32.exe 33 PID 2864 wrote to memory of 2880 2864 Cfpgee32.exe 33 PID 2880 wrote to memory of 2692 2880 Dkaihkih.exe 34 PID 2880 wrote to memory of 2692 2880 Dkaihkih.exe 34 PID 2880 wrote to memory of 2692 2880 Dkaihkih.exe 34 PID 2880 wrote to memory of 2692 2880 Dkaihkih.exe 34 PID 2692 wrote to memory of 2676 2692 Dlfbck32.exe 35 PID 2692 wrote to memory of 2676 2692 Dlfbck32.exe 35 PID 2692 wrote to memory of 2676 2692 Dlfbck32.exe 35 PID 2692 wrote to memory of 2676 2692 Dlfbck32.exe 35 PID 2676 wrote to memory of 552 2676 Edhmhl32.exe 36 PID 2676 wrote to memory of 552 2676 Edhmhl32.exe 36 PID 2676 wrote to memory of 552 2676 Edhmhl32.exe 36 PID 2676 wrote to memory of 552 2676 Edhmhl32.exe 36 PID 552 wrote to memory of 588 552 Ebmjihqn.exe 37 PID 552 wrote to memory of 588 552 Ebmjihqn.exe 37 PID 552 wrote to memory of 588 552 Ebmjihqn.exe 37 PID 552 wrote to memory of 588 552 Ebmjihqn.exe 37 PID 588 wrote to memory of 2008 588 Fbbcdh32.exe 38 PID 588 wrote to memory of 2008 588 Fbbcdh32.exe 38 PID 588 wrote to memory of 2008 588 Fbbcdh32.exe 38 PID 588 wrote to memory of 2008 588 Fbbcdh32.exe 38 PID 2008 wrote to memory of 2328 2008 Fkpeojha.exe 39 PID 2008 wrote to memory of 2328 2008 Fkpeojha.exe 39 PID 2008 wrote to memory of 2328 2008 Fkpeojha.exe 39 PID 2008 wrote to memory of 2328 2008 Fkpeojha.exe 39 PID 2328 wrote to memory of 1564 2328 Fhfbmn32.exe 40 PID 2328 wrote to memory of 1564 2328 Fhfbmn32.exe 40 PID 2328 wrote to memory of 1564 2328 Fhfbmn32.exe 40 PID 2328 wrote to memory of 1564 2328 Fhfbmn32.exe 40 PID 1564 wrote to memory of 1844 1564 Ggkoojip.exe 41 PID 1564 wrote to memory of 1844 1564 Ggkoojip.exe 41 PID 1564 wrote to memory of 1844 1564 Ggkoojip.exe 41 PID 1564 wrote to memory of 1844 1564 Ggkoojip.exe 41 PID 1844 wrote to memory of 2436 1844 Gaiijgbi.exe 42 PID 1844 wrote to memory of 2436 1844 Gaiijgbi.exe 42 PID 1844 wrote to memory of 2436 1844 Gaiijgbi.exe 42 PID 1844 wrote to memory of 2436 1844 Gaiijgbi.exe 42 PID 2436 wrote to memory of 2400 2436 Glajmppm.exe 43 PID 2436 wrote to memory of 2400 2436 Glajmppm.exe 43 PID 2436 wrote to memory of 2400 2436 Glajmppm.exe 43 PID 2436 wrote to memory of 2400 2436 Glajmppm.exe 43 PID 2400 wrote to memory of 2464 2400 Hgkknm32.exe 44 PID 2400 wrote to memory of 2464 2400 Hgkknm32.exe 44 PID 2400 wrote to memory of 2464 2400 Hgkknm32.exe 44 PID 2400 wrote to memory of 2464 2400 Hgkknm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe"C:\Users\Admin\AppData\Local\Temp\72e1fec4180276833966bc99d54b06daabc9aa149b8b5e168273c2a7fba31269.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Glajmppm.exeC:\Windows\system32\Glajmppm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Iflhjh32.exeC:\Windows\system32\Iflhjh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Jjbgok32.exeC:\Windows\system32\Jjbgok32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Lcnqin32.exeC:\Windows\system32\Lcnqin32.exe33⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe34⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe35⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe37⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe38⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Nlhnfg32.exeC:\Windows\system32\Nlhnfg32.exe39⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe40⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe42⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe43⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Oqomkimg.exeC:\Windows\system32\Oqomkimg.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe45⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe46⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe48⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe49⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe55⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe57⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pjndca32.exeC:\Windows\system32\Pjndca32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe60⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe61⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe62⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe63⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe64⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe65⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe66⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe67⤵PID:268
-
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe68⤵PID:2252
-
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe69⤵PID:3068
-
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe70⤵PID:3060
-
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe71⤵PID:2360
-
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe75⤵PID:2792
-
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe76⤵PID:2076
-
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe77⤵PID:1012
-
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe78⤵PID:1720
-
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe79⤵PID:1992
-
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe80⤵PID:2068
-
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe81⤵PID:2396
-
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe82⤵PID:2020
-
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe83⤵PID:1496
-
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe84⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe85⤵PID:960
-
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Ebemnc32.exeC:\Windows\system32\Ebemnc32.exe87⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Enlncdio.exeC:\Windows\system32\Enlncdio.exe88⤵PID:3048
-
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe89⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe90⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe91⤵PID:2700
-
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe92⤵PID:2148
-
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe93⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe94⤵PID:1544
-
C:\Windows\SysWOW64\Fmknko32.exeC:\Windows\system32\Fmknko32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe96⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe97⤵PID:3024
-
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe98⤵
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Ghihfl32.exeC:\Windows\system32\Ghihfl32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe100⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe103⤵PID:3004
-
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe104⤵PID:1408
-
C:\Windows\SysWOW64\Ggcnbh32.exeC:\Windows\system32\Ggcnbh32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Gpkckneh.exeC:\Windows\system32\Gpkckneh.exe106⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe107⤵PID:2976
-
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe108⤵PID:2448
-
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe109⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe110⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Hpbilmop.exeC:\Windows\system32\Hpbilmop.exe111⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe112⤵PID:2732
-
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Hahoodqi.exeC:\Windows\system32\Hahoodqi.exe114⤵PID:3044
-
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe115⤵PID:2884
-
C:\Windows\SysWOW64\Idihponj.exeC:\Windows\system32\Idihponj.exe116⤵PID:2856
-
C:\Windows\SysWOW64\Ibmhjc32.exeC:\Windows\system32\Ibmhjc32.exe117⤵PID:2124
-
C:\Windows\SysWOW64\Imgija32.exeC:\Windows\system32\Imgija32.exe118⤵PID:1972
-
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe119⤵PID:764
-
C:\Windows\SysWOW64\Ifajif32.exeC:\Windows\system32\Ifajif32.exe120⤵PID:1248
-
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe121⤵
- Drops file in System32 directory
PID:936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-