Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 22:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78ee934c79f77f56432cbf3abeb240d0N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
78ee934c79f77f56432cbf3abeb240d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
78ee934c79f77f56432cbf3abeb240d0N.exe
-
Size
79KB
-
MD5
78ee934c79f77f56432cbf3abeb240d0
-
SHA1
699ca35bd6933ee0862340f319866d8b7cfaae50
-
SHA256
328a22c416259da362f057cbc26cb816f215c09c04c971fbf5ab1ddfebec2faf
-
SHA512
b1df482561af19efbbeb8e566f336d7e6861698b7715098e96a3028c093ded310c71edfcae39ccc7c85fea162690e8a160d1f57f21aa85dc4719526c039a1d37
-
SSDEEP
1536:fyRoW3Wbt/PF9RjxR2Cn6Aa9sUEHiFkSIgiItKq9v6DK:fyRoW3EFd0nAaaUEHixtBtKq9vV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepclldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmgifa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmddgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffmpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkbjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifghk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhflcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpehpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noojdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlablaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfidqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koibpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebknblho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkclf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naegmabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfoeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcicf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofiopaap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohengmcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahimb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipcbidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfkihon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilgjhena.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkkpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabdecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beogaenl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgccbhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbklnpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjifgcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmhcigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncgbkki.exe -
Executes dropped EXE 64 IoCs
pid Process 2308 Qjfalj32.exe 2812 Qdofep32.exe 2776 Aiknnf32.exe 2556 Apefjqob.exe 2568 Abdbflnf.exe 2088 Ainkcf32.exe 744 Allgoa32.exe 1184 Abfoll32.exe 2180 Aedlhg32.exe 2908 Ahchdb32.exe 2804 Aompambg.exe 1140 Aaklmhak.exe 484 Adjhicpo.exe 2304 Akdafn32.exe 2160 Anbmbi32.exe 1696 Aeiecfga.exe 992 Ahhaobfe.exe 1176 Aoaill32.exe 948 Bapfhg32.exe 1884 Bpcfcddp.exe 1672 Bhjneadb.exe 1600 Bkhjamcf.exe 3040 Babbng32.exe 2044 Bgokfnij.exe 2440 Bjngbihn.exe 2616 Bllcnega.exe 2644 Bcflko32.exe 2008 Bjpdhifk.exe 2564 Bpjldc32.exe 2588 Bgddam32.exe 1968 Bjbqmi32.exe 1276 Bheaiekc.exe 1960 Bfiabjjm.exe 1484 Bjembh32.exe 1216 Ckfjjqhd.exe 2748 Cfknhi32.exe 440 Chjjde32.exe 2328 Cbbomjnn.exe 2344 Cfnkmi32.exe 1816 Cdqkifmb.exe 2192 Cqglng32.exe 832 Ckmpkpbl.exe 1340 Cnklgkap.exe 3068 Cbghhj32.exe 1020 Cqjhcfpc.exe 1888 Cdedde32.exe 3060 Cgdqpq32.exe 2068 Ckomqopi.exe 1584 Cnnimkom.exe 2656 Cnnimkom.exe 3000 Cqleifna.exe 2628 Dcjaeamd.exe 2528 Dgfmep32.exe 1940 Djdjalea.exe 2216 Dmcfngde.exe 2488 Dqobnf32.exe 1100 Doabjbci.exe 2940 Dcmnja32.exe 2016 Dijfch32.exe 2112 Dmebcgbb.exe 2356 Docopbaf.exe 1384 Dbbklnpj.exe 2096 Djicmk32.exe 1988 Dilchhgg.exe -
Loads dropped DLL 64 IoCs
pid Process 2700 78ee934c79f77f56432cbf3abeb240d0N.exe 2700 78ee934c79f77f56432cbf3abeb240d0N.exe 2308 Qjfalj32.exe 2308 Qjfalj32.exe 2812 Qdofep32.exe 2812 Qdofep32.exe 2776 Aiknnf32.exe 2776 Aiknnf32.exe 2556 Apefjqob.exe 2556 Apefjqob.exe 2568 Abdbflnf.exe 2568 Abdbflnf.exe 2088 Ainkcf32.exe 2088 Ainkcf32.exe 744 Allgoa32.exe 744 Allgoa32.exe 1184 Abfoll32.exe 1184 Abfoll32.exe 2180 Aedlhg32.exe 2180 Aedlhg32.exe 2908 Ahchdb32.exe 2908 Ahchdb32.exe 2804 Aompambg.exe 2804 Aompambg.exe 1140 Aaklmhak.exe 1140 Aaklmhak.exe 484 Adjhicpo.exe 484 Adjhicpo.exe 2304 Akdafn32.exe 2304 Akdafn32.exe 2160 Anbmbi32.exe 2160 Anbmbi32.exe 1696 Aeiecfga.exe 1696 Aeiecfga.exe 992 Ahhaobfe.exe 992 Ahhaobfe.exe 1176 Aoaill32.exe 1176 Aoaill32.exe 948 Bapfhg32.exe 948 Bapfhg32.exe 1884 Bpcfcddp.exe 1884 Bpcfcddp.exe 1672 Bhjneadb.exe 1672 Bhjneadb.exe 1600 Bkhjamcf.exe 1600 Bkhjamcf.exe 3040 Babbng32.exe 3040 Babbng32.exe 2044 Bgokfnij.exe 2044 Bgokfnij.exe 2440 Bjngbihn.exe 2440 Bjngbihn.exe 2616 Bllcnega.exe 2616 Bllcnega.exe 2644 Bcflko32.exe 2644 Bcflko32.exe 2008 Bjpdhifk.exe 2008 Bjpdhifk.exe 2564 Bpjldc32.exe 2564 Bpjldc32.exe 2588 Bgddam32.exe 2588 Bgddam32.exe 1968 Bjbqmi32.exe 1968 Bjbqmi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oljgqipg.dll Kcmdjgbh.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pcnfdl32.exe File created C:\Windows\SysWOW64\Diaalggp.dll Eddjhb32.exe File created C:\Windows\SysWOW64\Ilgjhena.exe Ihlnhffh.exe File created C:\Windows\SysWOW64\Hgkfkohg.dll Kolhdbjh.exe File opened for modification C:\Windows\SysWOW64\Cnklgkap.exe Ckmpkpbl.exe File opened for modification C:\Windows\SysWOW64\Fhhbif32.exe Fiebnjbg.exe File created C:\Windows\SysWOW64\Fkkhpadq.exe Fhmldfdm.exe File opened for modification C:\Windows\SysWOW64\Ojndpqpq.exe Okkddd32.exe File created C:\Windows\SysWOW64\Kcajceke.exe Kenjgi32.exe File opened for modification C:\Windows\SysWOW64\Lmnhgjmp.exe Liblfl32.exe File opened for modification C:\Windows\SysWOW64\Bdcnhk32.exe Bphaglgo.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lgnjke32.exe File created C:\Windows\SysWOW64\Adiaommc.exe Apnfno32.exe File created C:\Windows\SysWOW64\Cfaqfh32.exe Cgnpjkhj.exe File opened for modification C:\Windows\SysWOW64\Ggklka32.exe Goddjc32.exe File created C:\Windows\SysWOW64\Cdaimdkg.dll Pfqlkfoc.exe File opened for modification C:\Windows\SysWOW64\Donojm32.exe Dkbbinig.exe File created C:\Windows\SysWOW64\Iemalkgd.exe Iaaekl32.exe File created C:\Windows\SysWOW64\Idjeonbj.dll Dgfmep32.exe File created C:\Windows\SysWOW64\Einlmkhp.exe Efppqoil.exe File opened for modification C:\Windows\SysWOW64\Gdcmig32.exe Geqlnjcf.exe File created C:\Windows\SysWOW64\Jhpgpkho.dll Enhaeldn.exe File created C:\Windows\SysWOW64\Boegjgoa.dll Golgon32.exe File opened for modification C:\Windows\SysWOW64\Gkedjo32.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Bjfpdf32.exe Bldpiifb.exe File created C:\Windows\SysWOW64\Hkpnjd32.exe Hlmnogkl.exe File created C:\Windows\SysWOW64\Igkhjdde.exe Icplje32.exe File created C:\Windows\SysWOW64\Cgkqcb32.dll Cppobaeb.exe File created C:\Windows\SysWOW64\Ldiceg32.dll Fdlpnamm.exe File opened for modification C:\Windows\SysWOW64\Oqepgk32.exe Ojkhjabc.exe File created C:\Windows\SysWOW64\Inncclpb.dll Jfekec32.exe File created C:\Windows\SysWOW64\Jgdinn32.dll Mdojnm32.exe File created C:\Windows\SysWOW64\Dfhgggim.exe Dbmkfh32.exe File opened for modification C:\Windows\SysWOW64\Bhdjno32.exe Bdinnqon.exe File created C:\Windows\SysWOW64\Gnngnk32.dll Empomd32.exe File opened for modification C:\Windows\SysWOW64\Pajeanhf.exe Pbgefa32.exe File created C:\Windows\SysWOW64\Ihjfjc32.dll Qfikod32.exe File created C:\Windows\SysWOW64\Aompambg.exe Ahchdb32.exe File created C:\Windows\SysWOW64\Nbihoo32.dll Ghaeoe32.exe File created C:\Windows\SysWOW64\Apilcoho.exe Amjpgdik.exe File opened for modification C:\Windows\SysWOW64\Djicmk32.exe Dbbklnpj.exe File opened for modification C:\Windows\SysWOW64\Ecmjid32.exe Ebknblho.exe File created C:\Windows\SysWOW64\Hpnlndkp.exe Hlbpme32.exe File opened for modification C:\Windows\SysWOW64\Idghhf32.exe Ibillk32.exe File created C:\Windows\SysWOW64\Anpmohcl.dll Pjpmdd32.exe File created C:\Windows\SysWOW64\Nnodgbed.exe Njchfc32.exe File created C:\Windows\SysWOW64\Gminbfoh.exe Gimaah32.exe File created C:\Windows\SysWOW64\Gcmfdqgf.dll Hpgfmeag.exe File created C:\Windows\SysWOW64\Ippdloip.dll Dgqion32.exe File created C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Manjaldo.exe Migbpocm.exe File opened for modification C:\Windows\SysWOW64\Anpooe32.exe Ajdcofop.exe File opened for modification C:\Windows\SysWOW64\Ciglaa32.exe Capdpcge.exe File created C:\Windows\SysWOW64\Iciopdca.exe Ikagogco.exe File opened for modification C:\Windows\SysWOW64\Mdmmhn32.exe Mejmmqpd.exe File opened for modification C:\Windows\SysWOW64\Bhbmip32.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Jaiiogdj.dll Jbphgpfg.exe File created C:\Windows\SysWOW64\Acjpkfcf.dll Fjaoplho.exe File created C:\Windows\SysWOW64\Kaekljjo.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Qnpcpa32.exe File created C:\Windows\SysWOW64\Ebialmjb.exe Enneln32.exe File opened for modification C:\Windows\SysWOW64\Lkelpd32.exe Lfippfej.exe File created C:\Windows\SysWOW64\Edoblfhf.dll Glpgibbn.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdqpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmljcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnjeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdcofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopknhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkcpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnkanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcpdfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclqqeaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcemnopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbpocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boobki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acadchoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehhqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apefjqob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckomqopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npechhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfiocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdepmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqkifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamlhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmebcgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncipjieo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calonebc.dll" Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjibmbqj.dll" Pkhdnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimkklpe.dll" Pbdipa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgokfnij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihcbim32.dll" Qnqjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjkbh32.dll" Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll" Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keiqlihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnlqk32.dll" Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll" Cjoilfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migbpocm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcajboa.dll" Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honlnbae.dll" Mnhnfckm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcedne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhnjk32.dll" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdpehd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbblkaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodohnaa.dll" Abjeejep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll" Ciglaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogckopd.dll" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biheek32.dll" Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmibmhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnkmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnjpcle.dll" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqhlnkm.dll" Gmkjgfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dinpnged.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebknblho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckecpjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhlopf.dll" Kmclmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcplf32.dll" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncaean32.dll" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkinbcp.dll" Ejioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjhnfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmlmc32.dll" Bkqiek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mheeif32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2308 2700 78ee934c79f77f56432cbf3abeb240d0N.exe 30 PID 2700 wrote to memory of 2308 2700 78ee934c79f77f56432cbf3abeb240d0N.exe 30 PID 2700 wrote to memory of 2308 2700 78ee934c79f77f56432cbf3abeb240d0N.exe 30 PID 2700 wrote to memory of 2308 2700 78ee934c79f77f56432cbf3abeb240d0N.exe 30 PID 2308 wrote to memory of 2812 2308 Qjfalj32.exe 31 PID 2308 wrote to memory of 2812 2308 Qjfalj32.exe 31 PID 2308 wrote to memory of 2812 2308 Qjfalj32.exe 31 PID 2308 wrote to memory of 2812 2308 Qjfalj32.exe 31 PID 2812 wrote to memory of 2776 2812 Qdofep32.exe 32 PID 2812 wrote to memory of 2776 2812 Qdofep32.exe 32 PID 2812 wrote to memory of 2776 2812 Qdofep32.exe 32 PID 2812 wrote to memory of 2776 2812 Qdofep32.exe 32 PID 2776 wrote to memory of 2556 2776 Aiknnf32.exe 33 PID 2776 wrote to memory of 2556 2776 Aiknnf32.exe 33 PID 2776 wrote to memory of 2556 2776 Aiknnf32.exe 33 PID 2776 wrote to memory of 2556 2776 Aiknnf32.exe 33 PID 2556 wrote to memory of 2568 2556 Apefjqob.exe 34 PID 2556 wrote to memory of 2568 2556 Apefjqob.exe 34 PID 2556 wrote to memory of 2568 2556 Apefjqob.exe 34 PID 2556 wrote to memory of 2568 2556 Apefjqob.exe 34 PID 2568 wrote to memory of 2088 2568 Abdbflnf.exe 35 PID 2568 wrote to memory of 2088 2568 Abdbflnf.exe 35 PID 2568 wrote to memory of 2088 2568 Abdbflnf.exe 35 PID 2568 wrote to memory of 2088 2568 Abdbflnf.exe 35 PID 2088 wrote to memory of 744 2088 Ainkcf32.exe 36 PID 2088 wrote to memory of 744 2088 Ainkcf32.exe 36 PID 2088 wrote to memory of 744 2088 Ainkcf32.exe 36 PID 2088 wrote to memory of 744 2088 Ainkcf32.exe 36 PID 744 wrote to memory of 1184 744 Allgoa32.exe 37 PID 744 wrote to memory of 1184 744 Allgoa32.exe 37 PID 744 wrote to memory of 1184 744 Allgoa32.exe 37 PID 744 wrote to memory of 1184 744 Allgoa32.exe 37 PID 1184 wrote to memory of 2180 1184 Abfoll32.exe 38 PID 1184 wrote to memory of 2180 1184 Abfoll32.exe 38 PID 1184 wrote to memory of 2180 1184 Abfoll32.exe 38 PID 1184 wrote to memory of 2180 1184 Abfoll32.exe 38 PID 2180 wrote to memory of 2908 2180 Aedlhg32.exe 39 PID 2180 wrote to memory of 2908 2180 Aedlhg32.exe 39 PID 2180 wrote to memory of 2908 2180 Aedlhg32.exe 39 PID 2180 wrote to memory of 2908 2180 Aedlhg32.exe 39 PID 2908 wrote to memory of 2804 2908 Ahchdb32.exe 40 PID 2908 wrote to memory of 2804 2908 Ahchdb32.exe 40 PID 2908 wrote to memory of 2804 2908 Ahchdb32.exe 40 PID 2908 wrote to memory of 2804 2908 Ahchdb32.exe 40 PID 2804 wrote to memory of 1140 2804 Aompambg.exe 41 PID 2804 wrote to memory of 1140 2804 Aompambg.exe 41 PID 2804 wrote to memory of 1140 2804 Aompambg.exe 41 PID 2804 wrote to memory of 1140 2804 Aompambg.exe 41 PID 1140 wrote to memory of 484 1140 Aaklmhak.exe 42 PID 1140 wrote to memory of 484 1140 Aaklmhak.exe 42 PID 1140 wrote to memory of 484 1140 Aaklmhak.exe 42 PID 1140 wrote to memory of 484 1140 Aaklmhak.exe 42 PID 484 wrote to memory of 2304 484 Adjhicpo.exe 43 PID 484 wrote to memory of 2304 484 Adjhicpo.exe 43 PID 484 wrote to memory of 2304 484 Adjhicpo.exe 43 PID 484 wrote to memory of 2304 484 Adjhicpo.exe 43 PID 2304 wrote to memory of 2160 2304 Akdafn32.exe 44 PID 2304 wrote to memory of 2160 2304 Akdafn32.exe 44 PID 2304 wrote to memory of 2160 2304 Akdafn32.exe 44 PID 2304 wrote to memory of 2160 2304 Akdafn32.exe 44 PID 2160 wrote to memory of 1696 2160 Anbmbi32.exe 45 PID 2160 wrote to memory of 1696 2160 Anbmbi32.exe 45 PID 2160 wrote to memory of 1696 2160 Anbmbi32.exe 45 PID 2160 wrote to memory of 1696 2160 Anbmbi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\78ee934c79f77f56432cbf3abeb240d0N.exe"C:\Users\Admin\AppData\Local\Temp\78ee934c79f77f56432cbf3abeb240d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe33⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe34⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe35⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe36⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe37⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe38⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe39⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe44⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe45⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe46⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe47⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe50⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe51⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe52⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe55⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe56⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe57⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe58⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe59⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe60⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe62⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe64⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe65⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe66⤵PID:1812
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe67⤵PID:1096
-
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe68⤵PID:2256
-
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe70⤵PID:2832
-
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe71⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe72⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe74⤵PID:2400
-
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe75⤵PID:3020
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe76⤵PID:2800
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe78⤵PID:684
-
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe79⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe80⤵PID:1740
-
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe81⤵PID:2472
-
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe82⤵PID:888
-
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe83⤵PID:1548
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe85⤵PID:2152
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe86⤵PID:2808
-
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe87⤵PID:1708
-
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe88⤵PID:1564
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe90⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe91⤵PID:1864
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe92⤵PID:1048
-
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe93⤵PID:1892
-
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe94⤵PID:2072
-
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe95⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe96⤵PID:1404
-
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe97⤵PID:1904
-
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe98⤵PID:892
-
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe99⤵PID:2888
-
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe100⤵PID:2516
-
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe101⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe102⤵PID:1380
-
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe103⤵PID:2276
-
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe104⤵PID:2936
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe105⤵PID:2580
-
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe106⤵PID:764
-
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe108⤵PID:1908
-
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe109⤵PID:2984
-
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe110⤵PID:2380
-
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe111⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe112⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe113⤵PID:2760
-
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe114⤵PID:2540
-
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe115⤵PID:2868
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe116⤵PID:2612
-
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe117⤵PID:2036
-
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe118⤵PID:2188
-
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe119⤵PID:1876
-
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe120⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe121⤵PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-