Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 22:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8cabd3d04dcf7435a7114f385f99420N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d8cabd3d04dcf7435a7114f385f99420N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d8cabd3d04dcf7435a7114f385f99420N.exe
-
Size
896KB
-
MD5
d8cabd3d04dcf7435a7114f385f99420
-
SHA1
c065c9fd95fab0093607985ec8a668ae108c0c0a
-
SHA256
45d945092966760d4fb39640600632bf198f0a1a3b17eebc96d008c9b8fc93c5
-
SHA512
6e6234c0f4b3e07b0cf436cfe4002d3d755aa259e32702bda4c9be40cf72eefdaaac8830cad2ae1ea79b12b2b1d1f6a5c468418eb94fae405d6c00d90cb32301
-
SSDEEP
12288:jtDdByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:Yvr4B9f01ZmQvrUENOVvr1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jabajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epopff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdjpcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefeaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgmkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeblf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memonbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmgef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqlfjfni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmbgaid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cehlbihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdgkkppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgbeqjpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eligoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flphccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelqff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmalmdcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imepgbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhonegbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfmjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmjqhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omlahqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedclm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpoleilj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmeej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaeacppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmcbojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmaphdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khcdijac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmpemkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpgaohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boqgep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jalolemm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafilj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbihpbpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldkem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahaqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faimkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhgegfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjjoeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcbhmehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boolhikf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haqbcoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipickfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aflkiapg.exe -
Executes dropped EXE 64 IoCs
pid Process 2364 Qjbehfbo.exe 2088 Qoonqmqf.exe 2840 Qkeofnfk.exe 1436 Adbmjbif.exe 2640 Afffgjma.exe 2620 Aqljdclg.exe 1640 Boqgep32.exe 1676 Bjfkbhae.exe 1904 Bmegodpi.exe 3024 Bocckoom.exe 3016 Bbapgknp.exe 3000 Bfmlgi32.exe 2212 Bikhce32.exe 2112 Bmgddcnf.exe 2404 Dlepjbmo.exe 1072 Dodlfmlb.exe 2524 Edenjc32.exe 1784 Elqcnfdp.exe 1868 Eoalpaaa.exe 2452 Eigpmjqg.exe 600 Ehjqif32.exe 1628 Eabeal32.exe 1716 Ehlmnfeo.exe 2352 Fofekp32.exe 2076 Fadagl32.exe 1556 Fagnmkjm.exe 2136 Fhqfie32.exe 2376 Fhccoe32.exe 2812 Fkapkq32.exe 2656 Fakhhk32.exe 3068 Fdjddf32.exe 1108 Gofajcog.exe 2084 Ggmjkapi.exe 2684 Gfpjgn32.exe 2380 Gmjbchnq.exe 2972 Gccjpb32.exe 2940 Gfbfln32.exe 1212 Gicpnhbb.exe 660 Gomhkb32.exe 2956 Gbkdgn32.exe 580 Gdjpcj32.exe 1496 Gkchpcoc.exe 688 Hbnqln32.exe 1928 Hgjieedg.exe 2256 Hjieapck.exe 1560 Henjnica.exe 1264 Hkhbkc32.exe 2056 Hccfoehi.exe 1724 Hfbckagm.exe 2556 Hpjgdf32.exe 2432 Hfdpaqej.exe 2756 Hjplao32.exe 2668 Hmnhnk32.exe 2232 Imqdcjkd.exe 2244 Icjmpd32.exe 2740 Ieligmho.exe 944 Ipameehe.exe 1940 Ibpjaagi.exe 2948 Ienfml32.exe 2936 Iijbnkne.exe 920 Ihooog32.exe 2932 Ijmkkc32.exe 1528 Ibdclp32.exe 1404 Iecohl32.exe -
Loads dropped DLL 64 IoCs
pid Process 1720 d8cabd3d04dcf7435a7114f385f99420N.exe 1720 d8cabd3d04dcf7435a7114f385f99420N.exe 2364 Qjbehfbo.exe 2364 Qjbehfbo.exe 2088 Qoonqmqf.exe 2088 Qoonqmqf.exe 2840 Qkeofnfk.exe 2840 Qkeofnfk.exe 1436 Adbmjbif.exe 1436 Adbmjbif.exe 2640 Afffgjma.exe 2640 Afffgjma.exe 2620 Aqljdclg.exe 2620 Aqljdclg.exe 1640 Boqgep32.exe 1640 Boqgep32.exe 1676 Bjfkbhae.exe 1676 Bjfkbhae.exe 1904 Bmegodpi.exe 1904 Bmegodpi.exe 3024 Bocckoom.exe 3024 Bocckoom.exe 3016 Bbapgknp.exe 3016 Bbapgknp.exe 3000 Bfmlgi32.exe 3000 Bfmlgi32.exe 2212 Bikhce32.exe 2212 Bikhce32.exe 2112 Bmgddcnf.exe 2112 Bmgddcnf.exe 2404 Dlepjbmo.exe 2404 Dlepjbmo.exe 1072 Dodlfmlb.exe 1072 Dodlfmlb.exe 2524 Edenjc32.exe 2524 Edenjc32.exe 1784 Elqcnfdp.exe 1784 Elqcnfdp.exe 1868 Eoalpaaa.exe 1868 Eoalpaaa.exe 2452 Eigpmjqg.exe 2452 Eigpmjqg.exe 600 Ehjqif32.exe 600 Ehjqif32.exe 1628 Eabeal32.exe 1628 Eabeal32.exe 1716 Ehlmnfeo.exe 1716 Ehlmnfeo.exe 2352 Fofekp32.exe 2352 Fofekp32.exe 2076 Fadagl32.exe 2076 Fadagl32.exe 1556 Fagnmkjm.exe 1556 Fagnmkjm.exe 2136 Fhqfie32.exe 2136 Fhqfie32.exe 2376 Fhccoe32.exe 2376 Fhccoe32.exe 2812 Fkapkq32.exe 2812 Fkapkq32.exe 2656 Fakhhk32.exe 2656 Fakhhk32.exe 3068 Fdjddf32.exe 3068 Fdjddf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmaedolh.exe Jkpilg32.exe File created C:\Windows\SysWOW64\Fgkpdifc.dll Gccjpb32.exe File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Gcljdpke.exe File created C:\Windows\SysWOW64\Fgeikbfd.dll Lpekln32.exe File opened for modification C:\Windows\SysWOW64\Mcccglnn.exe Mlikkbga.exe File created C:\Windows\SysWOW64\Gjoflo32.dll Enijcn32.exe File created C:\Windows\SysWOW64\Nfmaiceh.dll Gbihmcqp.exe File created C:\Windows\SysWOW64\Idoaigpm.dll Ifljcanj.exe File created C:\Windows\SysWOW64\Mpmfoodb.exe Mmojcceo.exe File created C:\Windows\SysWOW64\Jkenbb32.dll Hjieapck.exe File created C:\Windows\SysWOW64\Kggeijok.dll Bgagnjbi.exe File created C:\Windows\SysWOW64\Ikooof32.dll Ibnodj32.exe File created C:\Windows\SysWOW64\Knijji32.dll Mdajff32.exe File created C:\Windows\SysWOW64\Cgpmbgai.exe Cqfdem32.exe File created C:\Windows\SysWOW64\Ebcqicem.exe Dcppmg32.exe File created C:\Windows\SysWOW64\Jlkqopoi.dll Lheilofe.exe File created C:\Windows\SysWOW64\Mnokki32.dll Hmbbcjic.exe File created C:\Windows\SysWOW64\Ipbgci32.exe Iiiogoac.exe File created C:\Windows\SysWOW64\Jookedhp.exe Jkcoee32.exe File opened for modification C:\Windows\SysWOW64\Hccfoehi.exe Hkhbkc32.exe File opened for modification C:\Windows\SysWOW64\Apdminod.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Blcmbmip.exe Bcjhig32.exe File created C:\Windows\SysWOW64\Bifmdh32.dll Mkplnp32.exe File opened for modification C:\Windows\SysWOW64\Pbfehn32.exe Pmimpf32.exe File created C:\Windows\SysWOW64\Geeqlobc.dll Pddinn32.exe File created C:\Windows\SysWOW64\Gakqdpmg.dll Epdncb32.exe File created C:\Windows\SysWOW64\Ggeiooea.exe Gnmdfi32.exe File created C:\Windows\SysWOW64\Fbdpjgjf.exe Feppqc32.exe File created C:\Windows\SysWOW64\Bjeecj32.dll Dghekobe.exe File created C:\Windows\SysWOW64\Lcbkjeif.dll Pacqlcdi.exe File created C:\Windows\SysWOW64\Feppqc32.exe Fbbcdh32.exe File opened for modification C:\Windows\SysWOW64\Kejdqffo.exe Kjdpcnfi.exe File created C:\Windows\SysWOW64\Qjikefbe.dll Eibbqmhd.exe File opened for modification C:\Windows\SysWOW64\Iojoalda.exe Iqgofo32.exe File opened for modification C:\Windows\SysWOW64\Ngmoao32.exe Nekbjf32.exe File created C:\Windows\SysWOW64\Fimnnn32.dll Mhkkjnmo.exe File created C:\Windows\SysWOW64\Cdnhiihl.dll Nfcoel32.exe File opened for modification C:\Windows\SysWOW64\Mlidplcf.exe Macpcccp.exe File created C:\Windows\SysWOW64\Bikhce32.exe Bfmlgi32.exe File opened for modification C:\Windows\SysWOW64\Egimdmmc.exe Ekblplgo.exe File opened for modification C:\Windows\SysWOW64\Jffakm32.exe Jplinckj.exe File created C:\Windows\SysWOW64\Hlhleh32.dll Hahoodqi.exe File opened for modification C:\Windows\SysWOW64\Hanenoeh.exe Hopibdfd.exe File created C:\Windows\SysWOW64\Hlhgpq32.dll Gfcqkafl.exe File created C:\Windows\SysWOW64\Kknjeong.dll Jjbbmmih.exe File created C:\Windows\SysWOW64\Bppljg32.dll Hafdbmjp.exe File created C:\Windows\SysWOW64\Qfganb32.exe Qolmip32.exe File created C:\Windows\SysWOW64\Aflkiapg.exe Apbblg32.exe File created C:\Windows\SysWOW64\Djnjmoea.dll Gemhpq32.exe File created C:\Windows\SysWOW64\Gpejff32.dll Kemjieol.exe File created C:\Windows\SysWOW64\Mcfpmlll.exe Mmigdend.exe File opened for modification C:\Windows\SysWOW64\Flhnqf32.exe Fgmaphdg.exe File created C:\Windows\SysWOW64\Eniokogi.dll Aifpcfjd.exe File opened for modification C:\Windows\SysWOW64\Bocfch32.exe Blejgm32.exe File created C:\Windows\SysWOW64\Coqaknog.exe Cehlbihg.exe File created C:\Windows\SysWOW64\Dlepjbmo.exe Bmgddcnf.exe File created C:\Windows\SysWOW64\Fpcqnh32.dll Jljgni32.exe File created C:\Windows\SysWOW64\Joohmk32.exe Jmplqp32.exe File created C:\Windows\SysWOW64\Kidlodkj.exe Kjalch32.exe File created C:\Windows\SysWOW64\Ldjmkq32.exe Lhclfphg.exe File created C:\Windows\SysWOW64\Bkeooo32.dll Jqjdon32.exe File opened for modification C:\Windows\SysWOW64\Odpljf32.exe Ocoobngl.exe File opened for modification C:\Windows\SysWOW64\Kdlbckee.exe Kdjenkgh.exe File created C:\Windows\SysWOW64\Nicfnn32.exe Npkaei32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7044 4860 WerFault.exe 979 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmbpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbadcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjopnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feklja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijhmnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecgafkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddoiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafdbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjclfmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggpdmap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldkem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqnfqcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efakhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgaohej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhqfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkepdbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obffpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kononm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfedhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbibfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblniaii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjchfaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbegonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnmgic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noajmlnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epopff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcngkmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgndnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjnioae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplfmfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbibjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqjdon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmicnhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpchmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjnikpc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faefoo32.dll" Kbflqccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngllhqkp.dll" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jijqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgglcqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfcoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglmdppi.dll" Dnmada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aifpcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchladlp.dll" Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflhfeng.dll" Lhhjcmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddnaonia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mffgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiahe32.dll" Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Domgache.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oalhbc32.dll" Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaocm32.dll" Ncplfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node d8cabd3d04dcf7435a7114f385f99420N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgbioee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnajl32.dll" Dkdhfdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjoebl.dll" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finhpqfo.dll" Ibplji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnkj32.dll" Aefaemqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afffgjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpqlke32.dll" Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmeqg32.dll" Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqgpadi.dll" Fgibijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbchlkgc.dll" Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll" Mikooghn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aifpcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgpibnp.dll" Abaaakob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijmkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oljanhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmnpc32.dll" Effidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhhmki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obilip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkldgjnj.dll" Giakoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hldpfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmnljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dghlfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcepic32.dll" Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmhncg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npfhjifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefipolf.dll" Dfjcncak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojinqngj.dll" Bhoikfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfphhb32.dll" Jqonjmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boqgep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apbblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qloiqcbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngaehiok.dll" Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooiepnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnfjblc.dll" Coqaknog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jchobqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fianpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hahoodqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ommfibdg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2364 1720 d8cabd3d04dcf7435a7114f385f99420N.exe 30 PID 1720 wrote to memory of 2364 1720 d8cabd3d04dcf7435a7114f385f99420N.exe 30 PID 1720 wrote to memory of 2364 1720 d8cabd3d04dcf7435a7114f385f99420N.exe 30 PID 1720 wrote to memory of 2364 1720 d8cabd3d04dcf7435a7114f385f99420N.exe 30 PID 2364 wrote to memory of 2088 2364 Qjbehfbo.exe 31 PID 2364 wrote to memory of 2088 2364 Qjbehfbo.exe 31 PID 2364 wrote to memory of 2088 2364 Qjbehfbo.exe 31 PID 2364 wrote to memory of 2088 2364 Qjbehfbo.exe 31 PID 2088 wrote to memory of 2840 2088 Qoonqmqf.exe 32 PID 2088 wrote to memory of 2840 2088 Qoonqmqf.exe 32 PID 2088 wrote to memory of 2840 2088 Qoonqmqf.exe 32 PID 2088 wrote to memory of 2840 2088 Qoonqmqf.exe 32 PID 2840 wrote to memory of 1436 2840 Qkeofnfk.exe 33 PID 2840 wrote to memory of 1436 2840 Qkeofnfk.exe 33 PID 2840 wrote to memory of 1436 2840 Qkeofnfk.exe 33 PID 2840 wrote to memory of 1436 2840 Qkeofnfk.exe 33 PID 1436 wrote to memory of 2640 1436 Adbmjbif.exe 34 PID 1436 wrote to memory of 2640 1436 Adbmjbif.exe 34 PID 1436 wrote to memory of 2640 1436 Adbmjbif.exe 34 PID 1436 wrote to memory of 2640 1436 Adbmjbif.exe 34 PID 2640 wrote to memory of 2620 2640 Afffgjma.exe 35 PID 2640 wrote to memory of 2620 2640 Afffgjma.exe 35 PID 2640 wrote to memory of 2620 2640 Afffgjma.exe 35 PID 2640 wrote to memory of 2620 2640 Afffgjma.exe 35 PID 2620 wrote to memory of 1640 2620 Aqljdclg.exe 36 PID 2620 wrote to memory of 1640 2620 Aqljdclg.exe 36 PID 2620 wrote to memory of 1640 2620 Aqljdclg.exe 36 PID 2620 wrote to memory of 1640 2620 Aqljdclg.exe 36 PID 1640 wrote to memory of 1676 1640 Boqgep32.exe 37 PID 1640 wrote to memory of 1676 1640 Boqgep32.exe 37 PID 1640 wrote to memory of 1676 1640 Boqgep32.exe 37 PID 1640 wrote to memory of 1676 1640 Boqgep32.exe 37 PID 1676 wrote to memory of 1904 1676 Bjfkbhae.exe 38 PID 1676 wrote to memory of 1904 1676 Bjfkbhae.exe 38 PID 1676 wrote to memory of 1904 1676 Bjfkbhae.exe 38 PID 1676 wrote to memory of 1904 1676 Bjfkbhae.exe 38 PID 1904 wrote to memory of 3024 1904 Bmegodpi.exe 39 PID 1904 wrote to memory of 3024 1904 Bmegodpi.exe 39 PID 1904 wrote to memory of 3024 1904 Bmegodpi.exe 39 PID 1904 wrote to memory of 3024 1904 Bmegodpi.exe 39 PID 3024 wrote to memory of 3016 3024 Bocckoom.exe 40 PID 3024 wrote to memory of 3016 3024 Bocckoom.exe 40 PID 3024 wrote to memory of 3016 3024 Bocckoom.exe 40 PID 3024 wrote to memory of 3016 3024 Bocckoom.exe 40 PID 3016 wrote to memory of 3000 3016 Bbapgknp.exe 41 PID 3016 wrote to memory of 3000 3016 Bbapgknp.exe 41 PID 3016 wrote to memory of 3000 3016 Bbapgknp.exe 41 PID 3016 wrote to memory of 3000 3016 Bbapgknp.exe 41 PID 3000 wrote to memory of 2212 3000 Bfmlgi32.exe 42 PID 3000 wrote to memory of 2212 3000 Bfmlgi32.exe 42 PID 3000 wrote to memory of 2212 3000 Bfmlgi32.exe 42 PID 3000 wrote to memory of 2212 3000 Bfmlgi32.exe 42 PID 2212 wrote to memory of 2112 2212 Bikhce32.exe 43 PID 2212 wrote to memory of 2112 2212 Bikhce32.exe 43 PID 2212 wrote to memory of 2112 2212 Bikhce32.exe 43 PID 2212 wrote to memory of 2112 2212 Bikhce32.exe 43 PID 2112 wrote to memory of 2404 2112 Bmgddcnf.exe 44 PID 2112 wrote to memory of 2404 2112 Bmgddcnf.exe 44 PID 2112 wrote to memory of 2404 2112 Bmgddcnf.exe 44 PID 2112 wrote to memory of 2404 2112 Bmgddcnf.exe 44 PID 2404 wrote to memory of 1072 2404 Dlepjbmo.exe 45 PID 2404 wrote to memory of 1072 2404 Dlepjbmo.exe 45 PID 2404 wrote to memory of 1072 2404 Dlepjbmo.exe 45 PID 2404 wrote to memory of 1072 2404 Dlepjbmo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8cabd3d04dcf7435a7114f385f99420N.exe"C:\Users\Admin\AppData\Local\Temp\d8cabd3d04dcf7435a7114f385f99420N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Bmegodpi.exeC:\Windows\system32\Bmegodpi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe33⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe34⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe36⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe38⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe39⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe40⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe41⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe43⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe44⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe45⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Hjieapck.exeC:\Windows\system32\Hjieapck.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe47⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hkhbkc32.exeC:\Windows\system32\Hkhbkc32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe49⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe50⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe51⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe52⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe53⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe55⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe56⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe57⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe58⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe59⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe62⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe64⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe65⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe67⤵PID:1208
-
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe68⤵PID:860
-
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe69⤵PID:1548
-
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe70⤵PID:2864
-
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe71⤵PID:1580
-
C:\Windows\SysWOW64\Jkdalb32.exeC:\Windows\system32\Jkdalb32.exe72⤵PID:2124
-
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe73⤵PID:2132
-
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe74⤵PID:3056
-
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe75⤵PID:2952
-
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe76⤵PID:2100
-
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe77⤵PID:996
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe78⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe79⤵PID:820
-
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe80⤵PID:576
-
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe81⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe82⤵PID:2196
-
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe84⤵PID:3064
-
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe86⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe87⤵PID:2616
-
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe88⤵PID:2784
-
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe90⤵PID:2596
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe91⤵PID:2876
-
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe92⤵PID:3008
-
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe93⤵PID:2096
-
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe94⤵PID:1312
-
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe95⤵PID:1600
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe96⤵PID:1448
-
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe97⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe98⤵PID:2900
-
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe99⤵PID:2336
-
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe100⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe101⤵PID:2168
-
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe102⤵PID:2712
-
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe103⤵PID:2764
-
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe104⤵PID:2216
-
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe105⤵PID:2456
-
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe106⤵PID:1988
-
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe107⤵PID:2484
-
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe108⤵PID:1356
-
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe109⤵PID:1728
-
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe111⤵PID:1684
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe112⤵PID:864
-
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe113⤵PID:2912
-
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe114⤵PID:1596
-
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe115⤵PID:1688
-
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe116⤵PID:940
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe117⤵PID:1936
-
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe118⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe119⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe120⤵PID:2904
-
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe121⤵PID:284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-