Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 23:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4e3f6f198cdb5e80d12d497d7b22300N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b4e3f6f198cdb5e80d12d497d7b22300N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b4e3f6f198cdb5e80d12d497d7b22300N.exe
-
Size
78KB
-
MD5
b4e3f6f198cdb5e80d12d497d7b22300
-
SHA1
5d0c0cc8364c9fee49a6209f85f01078d4887a2a
-
SHA256
f719277a32675b02432cdafa70709261655f5cda577e007288fb7c59875dd61b
-
SHA512
cc8fb0172ac3ca79c90999c55de3f44ca6bfad35a7366f642280ce090c0c6355d1012161bdc042c3a61d97a0dbe6691a131a9e51ac94c5246a5f90fb4701bd6c
-
SSDEEP
768:awmUs+ydoFfW4WcVgYbQrEvd+TFbZmPGjBftl0Jp+nlafo/1H5vDXdnhg8+nzNdH:aPwFfWD1ZmGfPnlafiVBN+zL20gJi1ie
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneaacno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcddopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbookpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehicoom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miclhpjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgiked32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejmmqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcngamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeeff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclcon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcofica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggipg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldfcpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkdckff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnodgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobndj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbakc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obecld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfhqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcfdmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maldfbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qblfkgqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beogaenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doqkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglmefcg.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Hajfgnjc.exe 2680 Hdhbci32.exe 2812 Hnpgloog.exe 2600 Hgiked32.exe 1240 Hbnpbm32.exe 1660 Ijidfpci.exe 2904 Ifpelq32.exe 2092 Imjmhkpj.exe 1040 Iqhfnifq.exe 2840 Ibibfa32.exe 352 Ikagogco.exe 264 Iblola32.exe 2164 Joppeeif.exe 2264 Jgkdigfa.exe 1044 Jacibm32.exe 1812 Jgmaog32.exe 1284 Jaeehmko.exe 2288 Jjnjqb32.exe 2340 Jahbmlil.exe 2952 Jecnnk32.exe 2220 Jmocbnop.exe 1556 Jcikog32.exe 2756 Kmaphmln.exe 2784 Kckhdg32.exe 2672 Kihpmnbb.exe 2716 Klfmijae.exe 2836 Kflafbak.exe 3044 Kmficl32.exe 3012 Kbbakc32.exe 1988 Kfnnlboi.exe 2948 Klkfdi32.exe 2160 Kbenacdm.exe 1388 Kaholp32.exe 2456 Khagijcd.exe 1412 Klmbjh32.exe 2276 Lbgkfbbj.exe 1496 Lajkbp32.exe 2392 Ldhgnk32.exe 2216 Lhdcojaa.exe 2452 Lkbpke32.exe 1804 Lmalgq32.exe 1792 Lalhgogb.exe 1784 Ldkdckff.exe 1700 Lfippfej.exe 568 Lophacfl.exe 1516 Lmcilp32.exe 1960 Lpaehl32.exe 2764 Lhimji32.exe 2688 Lglmefcg.exe 1588 Lmeebpkd.exe 2692 Laaabo32.exe 2292 Ldpnoj32.exe 3004 Lgnjke32.exe 644 Lilfgq32.exe 2768 Llkbcl32.exe 1860 Lpfnckhe.exe 1000 Lcdjpfgh.exe 1104 Lgpfpe32.exe 896 Mmjomogn.exe 2344 Mlmoilni.exe 1936 Mokkegmm.exe 2084 Mgbcfdmo.exe 1532 Miapbpmb.exe 1668 Monhjgkj.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 b4e3f6f198cdb5e80d12d497d7b22300N.exe 2388 b4e3f6f198cdb5e80d12d497d7b22300N.exe 2700 Hajfgnjc.exe 2700 Hajfgnjc.exe 2680 Hdhbci32.exe 2680 Hdhbci32.exe 2812 Hnpgloog.exe 2812 Hnpgloog.exe 2600 Hgiked32.exe 2600 Hgiked32.exe 1240 Hbnpbm32.exe 1240 Hbnpbm32.exe 1660 Ijidfpci.exe 1660 Ijidfpci.exe 2904 Ifpelq32.exe 2904 Ifpelq32.exe 2092 Imjmhkpj.exe 2092 Imjmhkpj.exe 1040 Iqhfnifq.exe 1040 Iqhfnifq.exe 2840 Ibibfa32.exe 2840 Ibibfa32.exe 352 Ikagogco.exe 352 Ikagogco.exe 264 Iblola32.exe 264 Iblola32.exe 2164 Joppeeif.exe 2164 Joppeeif.exe 2264 Jgkdigfa.exe 2264 Jgkdigfa.exe 1044 Jacibm32.exe 1044 Jacibm32.exe 1812 Jgmaog32.exe 1812 Jgmaog32.exe 1284 Jaeehmko.exe 1284 Jaeehmko.exe 2288 Jjnjqb32.exe 2288 Jjnjqb32.exe 2340 Jahbmlil.exe 2340 Jahbmlil.exe 2952 Jecnnk32.exe 2952 Jecnnk32.exe 2220 Jmocbnop.exe 2220 Jmocbnop.exe 1556 Jcikog32.exe 1556 Jcikog32.exe 2756 Kmaphmln.exe 2756 Kmaphmln.exe 2784 Kckhdg32.exe 2784 Kckhdg32.exe 2672 Kihpmnbb.exe 2672 Kihpmnbb.exe 2716 Klfmijae.exe 2716 Klfmijae.exe 2836 Kflafbak.exe 2836 Kflafbak.exe 3044 Kmficl32.exe 3044 Kmficl32.exe 3012 Kbbakc32.exe 3012 Kbbakc32.exe 1988 Kfnnlboi.exe 1988 Kfnnlboi.exe 2948 Klkfdi32.exe 2948 Klkfdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qhincn32.exe Qekbgbpf.exe File opened for modification C:\Windows\SysWOW64\Ajamfh32.exe Abjeejep.exe File created C:\Windows\SysWOW64\Plpqim32.exe Pmmqmpdm.exe File opened for modification C:\Windows\SysWOW64\Pnnmeh32.exe Plpqim32.exe File opened for modification C:\Windows\SysWOW64\Bpboinpd.exe Bhkghqpb.exe File created C:\Windows\SysWOW64\Cjoilfek.exe Cceapl32.exe File created C:\Windows\SysWOW64\Ifpelq32.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Njeelc32.exe Nggipg32.exe File created C:\Windows\SysWOW64\Kbbinm32.dll Padccpal.exe File created C:\Windows\SysWOW64\Ahngomkd.exe Adblnnbk.exe File created C:\Windows\SysWOW64\Hgiked32.exe Hnpgloog.exe File created C:\Windows\SysWOW64\Landhm32.dll Iqhfnifq.exe File created C:\Windows\SysWOW64\Kaholp32.exe Kbenacdm.exe File created C:\Windows\SysWOW64\Nplkbo32.dll Pgibdjln.exe File created C:\Windows\SysWOW64\Eknjoj32.dll Bbchkime.exe File created C:\Windows\SysWOW64\Dqddmd32.exe Dnfhqi32.exe File opened for modification C:\Windows\SysWOW64\Ejcofica.exe Egebjmdn.exe File created C:\Windows\SysWOW64\Iqhfnifq.exe Imjmhkpj.exe File opened for modification C:\Windows\SysWOW64\Kmaphmln.exe Jcikog32.exe File created C:\Windows\SysWOW64\Mdmmhn32.exe Mejmmqpd.exe File created C:\Windows\SysWOW64\Omhkcnfg.exe Odacbpee.exe File opened for modification C:\Windows\SysWOW64\Nlohmonb.exe Njalacon.exe File opened for modification C:\Windows\SysWOW64\Bdinnqon.exe Befnbd32.exe File created C:\Windows\SysWOW64\Lhhkobjh.dll Macjgadf.exe File created C:\Windows\SysWOW64\Fhipniif.dll Ldkdckff.exe File opened for modification C:\Windows\SysWOW64\Pimkbbpi.exe Pfnoegaf.exe File opened for modification C:\Windows\SysWOW64\Bkqiek32.exe Blniinac.exe File created C:\Windows\SysWOW64\Hajfgnjc.exe b4e3f6f198cdb5e80d12d497d7b22300N.exe File created C:\Windows\SysWOW64\Lcdjpfgh.exe Lpfnckhe.exe File opened for modification C:\Windows\SysWOW64\Cglcek32.exe Cdngip32.exe File created C:\Windows\SysWOW64\Ddkgbc32.exe Dcjjkkji.exe File created C:\Windows\SysWOW64\Klkfdi32.exe Kfnnlboi.exe File opened for modification C:\Windows\SysWOW64\Mneaacno.exe Mobaef32.exe File created C:\Windows\SysWOW64\Dqinhcoc.exe Dmmbge32.exe File opened for modification C:\Windows\SysWOW64\Ndfpnl32.exe Nlohmonb.exe File opened for modification C:\Windows\SysWOW64\Fedfgejh.exe Fbfjkj32.exe File created C:\Windows\SysWOW64\Idcoaaei.dll Bafhff32.exe File created C:\Windows\SysWOW64\Pmkdhq32.exe Piohgbng.exe File created C:\Windows\SysWOW64\Mkhipkdd.dll Nhkbmo32.exe File created C:\Windows\SysWOW64\Pfchqf32.exe Pbglpg32.exe File opened for modification C:\Windows\SysWOW64\Pmmqmpdm.exe Pfchqf32.exe File opened for modification C:\Windows\SysWOW64\Blniinac.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Lbpihjem.dll Oodjjign.exe File created C:\Windows\SysWOW64\Epfbllkc.dll Odflmp32.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Klfmijae.exe Kihpmnbb.exe File created C:\Windows\SysWOW64\Jenndm32.dll Ojeakfnd.exe File created C:\Windows\SysWOW64\Mmlqejic.dll Qdpohodn.exe File created C:\Windows\SysWOW64\Jmdaehpn.dll Afgnkilf.exe File created C:\Windows\SysWOW64\Lhdcojaa.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Fdjcfm32.dll Onoqfehp.exe File opened for modification C:\Windows\SysWOW64\Plndcmmj.exe Pmkdhq32.exe File opened for modification C:\Windows\SysWOW64\Hnpgloog.exe Hdhbci32.exe File created C:\Windows\SysWOW64\Lgpfpe32.exe Lcdjpfgh.exe File created C:\Windows\SysWOW64\Jmccgf32.dll Obhpad32.exe File created C:\Windows\SysWOW64\Icaipj32.dll Bpboinpd.exe File created C:\Windows\SysWOW64\Bnfoepmg.dll Eclcon32.exe File opened for modification C:\Windows\SysWOW64\Fnjnkkbk.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Lpaehl32.exe Lmcilp32.exe File opened for modification C:\Windows\SysWOW64\Jacibm32.exe Jgkdigfa.exe File created C:\Windows\SysWOW64\Qhincn32.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Bpmoggbh.dll Dkbbinig.exe File opened for modification C:\Windows\SysWOW64\Ekghcq32.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Ompjookk.dll Mgnfji32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3652 3604 WerFault.exe 291 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkfbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmmffgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaphmln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnofaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfippfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkdhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdpohodn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmalgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcngamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjeejep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjpgdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laaabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbqkeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhbci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhfnifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjck32.dll" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgegfe.dll" Kmaphmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kembmblk.dll" Nhmbdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklpjlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noclah32.dll" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkjgclg.dll" Kflafbak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebeabe.dll" Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbqkeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdinnqon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahbmlil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcmnk32.dll" Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkdaemk.dll" Cglcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmeebpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll" Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbgmkqd.dll" Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbole32.dll" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbenacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndnpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijidfpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhiphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhnqfla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piohgbng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghibjjfb.dll" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll" Nlohmonb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokahpfn.dll" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckecpjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joppeeif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lophacfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdinn32.dll" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abnopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahelebm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfchqf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2700 2388 b4e3f6f198cdb5e80d12d497d7b22300N.exe 30 PID 2388 wrote to memory of 2700 2388 b4e3f6f198cdb5e80d12d497d7b22300N.exe 30 PID 2388 wrote to memory of 2700 2388 b4e3f6f198cdb5e80d12d497d7b22300N.exe 30 PID 2388 wrote to memory of 2700 2388 b4e3f6f198cdb5e80d12d497d7b22300N.exe 30 PID 2700 wrote to memory of 2680 2700 Hajfgnjc.exe 31 PID 2700 wrote to memory of 2680 2700 Hajfgnjc.exe 31 PID 2700 wrote to memory of 2680 2700 Hajfgnjc.exe 31 PID 2700 wrote to memory of 2680 2700 Hajfgnjc.exe 31 PID 2680 wrote to memory of 2812 2680 Hdhbci32.exe 32 PID 2680 wrote to memory of 2812 2680 Hdhbci32.exe 32 PID 2680 wrote to memory of 2812 2680 Hdhbci32.exe 32 PID 2680 wrote to memory of 2812 2680 Hdhbci32.exe 32 PID 2812 wrote to memory of 2600 2812 Hnpgloog.exe 33 PID 2812 wrote to memory of 2600 2812 Hnpgloog.exe 33 PID 2812 wrote to memory of 2600 2812 Hnpgloog.exe 33 PID 2812 wrote to memory of 2600 2812 Hnpgloog.exe 33 PID 2600 wrote to memory of 1240 2600 Hgiked32.exe 34 PID 2600 wrote to memory of 1240 2600 Hgiked32.exe 34 PID 2600 wrote to memory of 1240 2600 Hgiked32.exe 34 PID 2600 wrote to memory of 1240 2600 Hgiked32.exe 34 PID 1240 wrote to memory of 1660 1240 Hbnpbm32.exe 35 PID 1240 wrote to memory of 1660 1240 Hbnpbm32.exe 35 PID 1240 wrote to memory of 1660 1240 Hbnpbm32.exe 35 PID 1240 wrote to memory of 1660 1240 Hbnpbm32.exe 35 PID 1660 wrote to memory of 2904 1660 Ijidfpci.exe 36 PID 1660 wrote to memory of 2904 1660 Ijidfpci.exe 36 PID 1660 wrote to memory of 2904 1660 Ijidfpci.exe 36 PID 1660 wrote to memory of 2904 1660 Ijidfpci.exe 36 PID 2904 wrote to memory of 2092 2904 Ifpelq32.exe 37 PID 2904 wrote to memory of 2092 2904 Ifpelq32.exe 37 PID 2904 wrote to memory of 2092 2904 Ifpelq32.exe 37 PID 2904 wrote to memory of 2092 2904 Ifpelq32.exe 37 PID 2092 wrote to memory of 1040 2092 Imjmhkpj.exe 38 PID 2092 wrote to memory of 1040 2092 Imjmhkpj.exe 38 PID 2092 wrote to memory of 1040 2092 Imjmhkpj.exe 38 PID 2092 wrote to memory of 1040 2092 Imjmhkpj.exe 38 PID 1040 wrote to memory of 2840 1040 Iqhfnifq.exe 39 PID 1040 wrote to memory of 2840 1040 Iqhfnifq.exe 39 PID 1040 wrote to memory of 2840 1040 Iqhfnifq.exe 39 PID 1040 wrote to memory of 2840 1040 Iqhfnifq.exe 39 PID 2840 wrote to memory of 352 2840 Ibibfa32.exe 40 PID 2840 wrote to memory of 352 2840 Ibibfa32.exe 40 PID 2840 wrote to memory of 352 2840 Ibibfa32.exe 40 PID 2840 wrote to memory of 352 2840 Ibibfa32.exe 40 PID 352 wrote to memory of 264 352 Ikagogco.exe 41 PID 352 wrote to memory of 264 352 Ikagogco.exe 41 PID 352 wrote to memory of 264 352 Ikagogco.exe 41 PID 352 wrote to memory of 264 352 Ikagogco.exe 41 PID 264 wrote to memory of 2164 264 Iblola32.exe 42 PID 264 wrote to memory of 2164 264 Iblola32.exe 42 PID 264 wrote to memory of 2164 264 Iblola32.exe 42 PID 264 wrote to memory of 2164 264 Iblola32.exe 42 PID 2164 wrote to memory of 2264 2164 Joppeeif.exe 43 PID 2164 wrote to memory of 2264 2164 Joppeeif.exe 43 PID 2164 wrote to memory of 2264 2164 Joppeeif.exe 43 PID 2164 wrote to memory of 2264 2164 Joppeeif.exe 43 PID 2264 wrote to memory of 1044 2264 Jgkdigfa.exe 44 PID 2264 wrote to memory of 1044 2264 Jgkdigfa.exe 44 PID 2264 wrote to memory of 1044 2264 Jgkdigfa.exe 44 PID 2264 wrote to memory of 1044 2264 Jgkdigfa.exe 44 PID 1044 wrote to memory of 1812 1044 Jacibm32.exe 45 PID 1044 wrote to memory of 1812 1044 Jacibm32.exe 45 PID 1044 wrote to memory of 1812 1044 Jacibm32.exe 45 PID 1044 wrote to memory of 1812 1044 Jacibm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4e3f6f198cdb5e80d12d497d7b22300N.exe"C:\Users\Admin\AppData\Local\Temp\b4e3f6f198cdb5e80d12d497d7b22300N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe34⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe38⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe40⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe43⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe48⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe53⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe54⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe55⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe60⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe61⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe64⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe69⤵PID:1732
-
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe71⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe73⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe77⤵PID:2072
-
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe78⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe79⤵PID:2144
-
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe81⤵PID:2412
-
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe83⤵PID:1420
-
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe84⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe85⤵PID:2120
-
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe86⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe89⤵PID:2576
-
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe93⤵PID:3060
-
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe98⤵PID:1288
-
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe102⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe104⤵PID:2740
-
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe105⤵PID:2568
-
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe108⤵PID:2124
-
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe110⤵PID:2780
-
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe112⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe113⤵PID:1600
-
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe114⤵PID:1088
-
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe115⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe117⤵PID:1212
-
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe118⤵PID:2564
-
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe121⤵PID:2128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-