Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 23:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d82bc8936d020d14266bf6ac8d9eab80N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d82bc8936d020d14266bf6ac8d9eab80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d82bc8936d020d14266bf6ac8d9eab80N.exe
-
Size
669KB
-
MD5
d82bc8936d020d14266bf6ac8d9eab80
-
SHA1
a4b1392fb9949a86ea34b4e667e708923163b3c6
-
SHA256
3ad3cc5bdf86f264e6bdbc5f81e7ccd229be7b5cbed8f060f701e4042de45bc0
-
SHA512
8f92f6a08eb96cc7937ad31afc76d1ffe21c7cd3104a37955b45f126f91a1fb5fe6bc901fcbd92708d75db9adef5157a5053970f4c66999e623af4178aba99a0
-
SSDEEP
12288:Ki+c7eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:5mchMpQnqrdX72LbY6x46uR/qYglMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenphjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkhibino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldfcpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debadpeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmollme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgjfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aebmjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmcopebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbimkpmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpoohik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imogcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaofgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajehnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbgkfbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chocodch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljaigmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeiheo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibipmiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjihmmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpphdpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilmbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbjifgcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdcdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepfnd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2388 Mjkndb32.exe 3048 Meabakda.exe 2348 Mlkjne32.exe 2844 Njbdea32.exe 2860 Nlhjhi32.exe 3052 Nbbbdcgi.exe 2612 Oeehln32.exe 2556 Oonldcih.exe 1184 Okgjodmi.exe 1392 Pcbncfjd.exe 1172 Pphkbj32.exe 2360 Pcghof32.exe 1204 Phhjblpa.exe 2308 Qaqnkafa.exe 2908 Abegfa32.exe 2956 Ajqljc32.exe 1860 Afjjed32.exe 840 Amcbankf.exe 2172 Aflfjc32.exe 1652 Aijbfo32.exe 1340 Bbbgod32.exe 2564 Beackp32.exe 896 Bnihdemo.exe 1952 Biolanld.exe 3060 Bajqfq32.exe 1576 Befmfpbi.exe 1680 Behilopf.exe 2180 Bgffhkoj.exe 2804 Bcmfmlen.exe 2792 Bgibnj32.exe 2696 Cpdgbm32.exe 1944 Cgkocj32.exe 2588 Cpfdhl32.exe 3008 Cbepdhgc.exe 796 Cfcijf32.exe 1236 Ceeieced.exe 1336 Cfeepelg.exe 1056 Cicalakk.exe 1528 Copjdhib.exe 1856 Daofpchf.exe 2448 Ddpobo32.exe 1072 Dlfgcl32.exe 1988 Dogpdg32.exe 820 Dafmqb32.exe 1348 Dahifbpk.exe 944 Dbifnj32.exe 1080 Elajgpmj.exe 1168 Epmfgo32.exe 872 Eclbcj32.exe 2920 Eiekpd32.exe 2872 Eldglp32.exe 2224 Egikjh32.exe 2700 Ecploipa.exe 2708 Eijdkcgn.exe 2608 Elipgofb.exe 2644 Ecbhdi32.exe 576 Eaeipfei.exe 664 Elkmmodo.exe 2424 Eoiiijcc.exe 2168 Eecafd32.exe 1364 Folfoj32.exe 2468 Fajbke32.exe 1852 Fdiogq32.exe 1728 Fnacpffh.exe -
Loads dropped DLL 64 IoCs
pid Process 2560 d82bc8936d020d14266bf6ac8d9eab80N.exe 2560 d82bc8936d020d14266bf6ac8d9eab80N.exe 2388 Mjkndb32.exe 2388 Mjkndb32.exe 3048 Meabakda.exe 3048 Meabakda.exe 2348 Mlkjne32.exe 2348 Mlkjne32.exe 2844 Njbdea32.exe 2844 Njbdea32.exe 2860 Nlhjhi32.exe 2860 Nlhjhi32.exe 3052 Nbbbdcgi.exe 3052 Nbbbdcgi.exe 2612 Oeehln32.exe 2612 Oeehln32.exe 2556 Oonldcih.exe 2556 Oonldcih.exe 1184 Okgjodmi.exe 1184 Okgjodmi.exe 1392 Pcbncfjd.exe 1392 Pcbncfjd.exe 1172 Pphkbj32.exe 1172 Pphkbj32.exe 2360 Pcghof32.exe 2360 Pcghof32.exe 1204 Phhjblpa.exe 1204 Phhjblpa.exe 2308 Qaqnkafa.exe 2308 Qaqnkafa.exe 2908 Abegfa32.exe 2908 Abegfa32.exe 2956 Ajqljc32.exe 2956 Ajqljc32.exe 1860 Afjjed32.exe 1860 Afjjed32.exe 840 Amcbankf.exe 840 Amcbankf.exe 2172 Aflfjc32.exe 2172 Aflfjc32.exe 1652 Aijbfo32.exe 1652 Aijbfo32.exe 1340 Bbbgod32.exe 1340 Bbbgod32.exe 2564 Beackp32.exe 2564 Beackp32.exe 896 Bnihdemo.exe 896 Bnihdemo.exe 1952 Biolanld.exe 1952 Biolanld.exe 3060 Bajqfq32.exe 3060 Bajqfq32.exe 1576 Befmfpbi.exe 1576 Befmfpbi.exe 1680 Behilopf.exe 1680 Behilopf.exe 2180 Bgffhkoj.exe 2180 Bgffhkoj.exe 2804 Bcmfmlen.exe 2804 Bcmfmlen.exe 2792 Bgibnj32.exe 2792 Bgibnj32.exe 2696 Cpdgbm32.exe 2696 Cpdgbm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Copjdhib.exe Cicalakk.exe File created C:\Windows\SysWOW64\Lkfalipj.dll Eecafd32.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Eheglk32.exe Eibgpnjk.exe File created C:\Windows\SysWOW64\Mmmloaog.dll Ajjgei32.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jipaip32.exe File created C:\Windows\SysWOW64\Kigpbioo.dll Pgibdjln.exe File created C:\Windows\SysWOW64\Pfeeff32.exe Pbjifgcd.exe File created C:\Windows\SysWOW64\Loqmba32.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Mqpflg32.exe Mnaiol32.exe File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Cncmcm32.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gamnhq32.exe File opened for modification C:\Windows\SysWOW64\Ddmchcnd.exe Dfkclf32.exe File opened for modification C:\Windows\SysWOW64\Nmcopebh.exe Njeccjcd.exe File opened for modification C:\Windows\SysWOW64\Djlfma32.exe Deondj32.exe File created C:\Windows\SysWOW64\Famaimfe.exe Fooembgb.exe File opened for modification C:\Windows\SysWOW64\Gncldi32.exe Gkephn32.exe File created C:\Windows\SysWOW64\Llgjaeoj.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe File created C:\Windows\SysWOW64\Cnkiqi32.dll Hcdgmimg.exe File created C:\Windows\SysWOW64\Gahjmjal.dll Ichmgl32.exe File created C:\Windows\SysWOW64\Hhmhcigh.exe Gcppkbia.exe File created C:\Windows\SysWOW64\Ocpfkh32.exe Nflfad32.exe File created C:\Windows\SysWOW64\Pcpbik32.exe Pmfjmake.exe File created C:\Windows\SysWOW64\Bikcbc32.exe Bbqkeioh.exe File created C:\Windows\SysWOW64\Ecmjid32.exe Ebknblho.exe File created C:\Windows\SysWOW64\Kckido32.dll Jijacjnc.exe File created C:\Windows\SysWOW64\Nnodgbed.exe Nlohmonb.exe File created C:\Windows\SysWOW64\Figfejbj.dll Kdnild32.exe File opened for modification C:\Windows\SysWOW64\Ompefj32.exe Objaha32.exe File created C:\Windows\SysWOW64\Cpqmndme.dll Alihaioe.exe File opened for modification C:\Windows\SysWOW64\Kljdkpfl.exe Khohkamc.exe File opened for modification C:\Windows\SysWOW64\Dmkcil32.exe Dnhbmpkn.exe File created C:\Windows\SysWOW64\Fkecij32.exe Fgigil32.exe File created C:\Windows\SysWOW64\Bndlbd32.dll Igoomk32.exe File created C:\Windows\SysWOW64\Kbmfgk32.exe Kdkelolf.exe File created C:\Windows\SysWOW64\Qemomb32.exe Qbobaf32.exe File created C:\Windows\SysWOW64\Lcjmleem.dll Hajfgnjc.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nncbdomg.exe File created C:\Windows\SysWOW64\Abpcooea.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Dlofgj32.exe Dhckfkbh.exe File created C:\Windows\SysWOW64\Ghejcg32.dll Jdcpkp32.exe File created C:\Windows\SysWOW64\Akgddhmc.dll Ggnmbn32.exe File created C:\Windows\SysWOW64\Ladebd32.exe Llgljn32.exe File opened for modification C:\Windows\SysWOW64\Apefjqob.exe Afmbak32.exe File created C:\Windows\SysWOW64\Ibdlbppo.dll Ebfqfpop.exe File created C:\Windows\SysWOW64\Djjjga32.exe Dgknkf32.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Gmpcgace.exe File created C:\Windows\SysWOW64\Lmhjag32.dll Gonocmbi.exe File opened for modification C:\Windows\SysWOW64\Lncfcgeb.exe Lkdjglfo.exe File opened for modification C:\Windows\SysWOW64\Aiaoclgl.exe Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Pikijafg.dll Mmccqbpm.exe File created C:\Windows\SysWOW64\Oajndh32.exe Obgnhkkh.exe File opened for modification C:\Windows\SysWOW64\Nnodgbed.exe Nlohmonb.exe File created C:\Windows\SysWOW64\Oeehln32.exe Nbbbdcgi.exe File opened for modification C:\Windows\SysWOW64\Pphkbj32.exe Pcbncfjd.exe File created C:\Windows\SysWOW64\Bkkpkade.dll Epmfgo32.exe File created C:\Windows\SysWOW64\Gjifodii.exe Gconbj32.exe File opened for modification C:\Windows\SysWOW64\Khohkamc.exe Kbbobkol.exe File created C:\Windows\SysWOW64\Pbigmn32.exe Pbigmn32.exe File created C:\Windows\SysWOW64\Jimohpcc.dll Bnlphh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3960 3356 WerFault.exe 1011 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphfbiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkndb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpamoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpdbohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbqkeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbhkmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogealf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqfpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopphehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feggob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbpehpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnmbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chocodch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anljck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingkdeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einlmkhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqcmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebialmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghckj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbpne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchdpbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdmjamj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qldhkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofafgipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 d82bc8936d020d14266bf6ac8d9eab80N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbclcja.dll" Fggmldfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbmdhfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqliblhd.dll" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akadpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljddjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekfpmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkbmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imacijjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epnkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbbccgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnppecd.dll" Aijbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoamb32.dll" Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfibfeh.dll" Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmqhd32.dll" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeecim32.dll" Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpqofd.dll" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofndb32.dll" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmehhn32.dll" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbdaaci.dll" Hneeilgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hljaigmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damocb32.dll" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceeieced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkkfgi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2388 2560 d82bc8936d020d14266bf6ac8d9eab80N.exe 30 PID 2560 wrote to memory of 2388 2560 d82bc8936d020d14266bf6ac8d9eab80N.exe 30 PID 2560 wrote to memory of 2388 2560 d82bc8936d020d14266bf6ac8d9eab80N.exe 30 PID 2560 wrote to memory of 2388 2560 d82bc8936d020d14266bf6ac8d9eab80N.exe 30 PID 2388 wrote to memory of 3048 2388 Mjkndb32.exe 31 PID 2388 wrote to memory of 3048 2388 Mjkndb32.exe 31 PID 2388 wrote to memory of 3048 2388 Mjkndb32.exe 31 PID 2388 wrote to memory of 3048 2388 Mjkndb32.exe 31 PID 3048 wrote to memory of 2348 3048 Meabakda.exe 32 PID 3048 wrote to memory of 2348 3048 Meabakda.exe 32 PID 3048 wrote to memory of 2348 3048 Meabakda.exe 32 PID 3048 wrote to memory of 2348 3048 Meabakda.exe 32 PID 2348 wrote to memory of 2844 2348 Mlkjne32.exe 33 PID 2348 wrote to memory of 2844 2348 Mlkjne32.exe 33 PID 2348 wrote to memory of 2844 2348 Mlkjne32.exe 33 PID 2348 wrote to memory of 2844 2348 Mlkjne32.exe 33 PID 2844 wrote to memory of 2860 2844 Njbdea32.exe 34 PID 2844 wrote to memory of 2860 2844 Njbdea32.exe 34 PID 2844 wrote to memory of 2860 2844 Njbdea32.exe 34 PID 2844 wrote to memory of 2860 2844 Njbdea32.exe 34 PID 2860 wrote to memory of 3052 2860 Nlhjhi32.exe 35 PID 2860 wrote to memory of 3052 2860 Nlhjhi32.exe 35 PID 2860 wrote to memory of 3052 2860 Nlhjhi32.exe 35 PID 2860 wrote to memory of 3052 2860 Nlhjhi32.exe 35 PID 3052 wrote to memory of 2612 3052 Nbbbdcgi.exe 36 PID 3052 wrote to memory of 2612 3052 Nbbbdcgi.exe 36 PID 3052 wrote to memory of 2612 3052 Nbbbdcgi.exe 36 PID 3052 wrote to memory of 2612 3052 Nbbbdcgi.exe 36 PID 2612 wrote to memory of 2556 2612 Oeehln32.exe 37 PID 2612 wrote to memory of 2556 2612 Oeehln32.exe 37 PID 2612 wrote to memory of 2556 2612 Oeehln32.exe 37 PID 2612 wrote to memory of 2556 2612 Oeehln32.exe 37 PID 2556 wrote to memory of 1184 2556 Oonldcih.exe 38 PID 2556 wrote to memory of 1184 2556 Oonldcih.exe 38 PID 2556 wrote to memory of 1184 2556 Oonldcih.exe 38 PID 2556 wrote to memory of 1184 2556 Oonldcih.exe 38 PID 1184 wrote to memory of 1392 1184 Okgjodmi.exe 39 PID 1184 wrote to memory of 1392 1184 Okgjodmi.exe 39 PID 1184 wrote to memory of 1392 1184 Okgjodmi.exe 39 PID 1184 wrote to memory of 1392 1184 Okgjodmi.exe 39 PID 1392 wrote to memory of 1172 1392 Pcbncfjd.exe 40 PID 1392 wrote to memory of 1172 1392 Pcbncfjd.exe 40 PID 1392 wrote to memory of 1172 1392 Pcbncfjd.exe 40 PID 1392 wrote to memory of 1172 1392 Pcbncfjd.exe 40 PID 1172 wrote to memory of 2360 1172 Pphkbj32.exe 41 PID 1172 wrote to memory of 2360 1172 Pphkbj32.exe 41 PID 1172 wrote to memory of 2360 1172 Pphkbj32.exe 41 PID 1172 wrote to memory of 2360 1172 Pphkbj32.exe 41 PID 2360 wrote to memory of 1204 2360 Pcghof32.exe 42 PID 2360 wrote to memory of 1204 2360 Pcghof32.exe 42 PID 2360 wrote to memory of 1204 2360 Pcghof32.exe 42 PID 2360 wrote to memory of 1204 2360 Pcghof32.exe 42 PID 1204 wrote to memory of 2308 1204 Phhjblpa.exe 43 PID 1204 wrote to memory of 2308 1204 Phhjblpa.exe 43 PID 1204 wrote to memory of 2308 1204 Phhjblpa.exe 43 PID 1204 wrote to memory of 2308 1204 Phhjblpa.exe 43 PID 2308 wrote to memory of 2908 2308 Qaqnkafa.exe 44 PID 2308 wrote to memory of 2908 2308 Qaqnkafa.exe 44 PID 2308 wrote to memory of 2908 2308 Qaqnkafa.exe 44 PID 2308 wrote to memory of 2908 2308 Qaqnkafa.exe 44 PID 2908 wrote to memory of 2956 2908 Abegfa32.exe 45 PID 2908 wrote to memory of 2956 2908 Abegfa32.exe 45 PID 2908 wrote to memory of 2956 2908 Abegfa32.exe 45 PID 2908 wrote to memory of 2956 2908 Abegfa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82bc8936d020d14266bf6ac8d9eab80N.exe"C:\Users\Admin\AppData\Local\Temp\d82bc8936d020d14266bf6ac8d9eab80N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe34⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe35⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe36⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe38⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe40⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe41⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe42⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe43⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe44⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe45⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe46⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe47⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe48⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe51⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe52⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe53⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe54⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe55⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe58⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe59⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe62⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe64⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe65⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe66⤵PID:1668
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe67⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe68⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe69⤵PID:2436
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe70⤵PID:2964
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe71⤵PID:2912
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe72⤵PID:2400
-
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe73⤵PID:2796
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe74⤵PID:2824
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe75⤵PID:2896
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe76⤵PID:2656
-
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe77⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe78⤵PID:1060
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe79⤵PID:848
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe80⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe83⤵PID:2460
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe84⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe85⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe86⤵PID:2312
-
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe87⤵PID:2264
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe88⤵PID:1928
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe90⤵PID:2596
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe91⤵PID:2060
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe92⤵PID:1664
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe93⤵PID:2016
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe94⤵PID:3028
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe96⤵PID:2900
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe97⤵PID:1140
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe98⤵PID:2256
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe99⤵PID:2484
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe100⤵PID:2356
-
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe101⤵PID:2004
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe102⤵PID:2728
-
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe103⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe104⤵PID:2220
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe105⤵PID:3056
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe106⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe107⤵PID:2692
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe108⤵PID:1560
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe109⤵PID:2380
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe110⤵PID:2948
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe111⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe112⤵PID:3012
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe113⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe114⤵PID:2704
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe115⤵PID:2744
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe118⤵PID:1556
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe119⤵PID:2212
-
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe120⤵PID:2528
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe121⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-