Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef14efba0b910d439b57baa37f3f5d70N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ef14efba0b910d439b57baa37f3f5d70N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ef14efba0b910d439b57baa37f3f5d70N.exe
-
Size
80KB
-
MD5
ef14efba0b910d439b57baa37f3f5d70
-
SHA1
0b6e6380db882b3c2c9f5e3f95178d89a3aa3392
-
SHA256
d2b42f708c41768352eaa7f9ea900a8b4e9a35ff94cecaa7e55652e5d223e0bb
-
SHA512
b2f3f9ef65de2f8a4aacac4c9ef50bf03e0b2b458212cb80572601aac3e130101656766117c91c41c14e58a1091298a4f9c4c8cba34057e2962eb7f3a85b24d3
-
SSDEEP
1536:PvyicrYrPlzAlUgiAHVC0SPEba9rPzX7fDnLvT3b/jHrPzX7fDnL3Iq/jHzX7fDw:iii9UiTSEba9rPzX7fDnLvT3b/jHrPzo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famhqclj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jompim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhfhaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clecnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqbaqccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqenfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dplbbndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdeaohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekobn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjmhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncijanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amidmldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilohnopg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqmgbbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlkba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbodk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehiqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neddfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babpgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpflblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfckko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihehbpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meonlkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlifie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibjec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbphfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomoohoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoeiniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedjfchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipefba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahlgkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odnjbibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgcingnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcmkciap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgmdbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgadbcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnjbibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlokdgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnkqcem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgjce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekkaanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndedhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjbcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjbqei32.exe -
Executes dropped EXE 64 IoCs
pid Process 1852 Kqaigijk.exe 2496 Lkgmdbja.exe 2784 Lnejqmie.exe 2580 Ldpbmg32.exe 2948 Lcbbidgl.exe 2688 Lnhffm32.exe 2172 Loicnemp.exe 2812 Lfckko32.exe 2024 Liaggk32.exe 2972 Lqiohh32.exe 2984 Lbjlppja.exe 2932 Lfehpobj.exe 3068 Lkbphfab.exe 1288 Lfhdeoqh.exe 2308 Lifqbjpk.exe 1984 Lkdmneoo.exe 3036 Mncijanc.exe 2116 Mihngj32.exe 1448 Mlgjce32.exe 328 Mbabpodi.exe 1940 Meonlkcm.exe 2324 Mlifie32.exe 340 Mnhbep32.exe 3048 Mcdkmg32.exe 676 Mhpgnfpn.exe 1608 Mjocja32.exe 1284 Mahlgkgo.exe 2684 Medggj32.exe 2700 Mnllppfh.exe 2900 Makhlkel.exe 2892 Mdidhfdp.exe 1656 Mheqie32.exe 1280 Nfgadbcc.exe 2040 Nmaialjp.exe 2300 Namebk32.exe 2828 Nfjnja32.exe 2836 Nmdfglhm.exe 576 Nbqnobge.exe 2672 Npdohg32.exe 1772 Npdohg32.exe 3028 Nogodcli.exe 2556 Nfogeamk.exe 1980 Nhpcmi32.exe 2176 Nbehjb32.exe 2460 Neddfm32.exe 2348 Nhbpbi32.exe 2512 Obhdpaqm.exe 1540 Oakdkn32.exe 2412 Odiagj32.exe 2076 Olpiig32.exe 2664 Oooeeb32.exe 2680 Omaepoml.exe 2444 Oehmamnn.exe 2748 Odknmi32.exe 2588 Okefjcle.exe 756 Ooabjbdn.exe 2484 Oaonfncb.exe 1720 Odnjbibf.exe 1756 Oglfodai.exe 2068 Okhboc32.exe 2356 Oijbkpqm.exe 2344 Oaaklmao.exe 2136 Odpghiqc.exe 1048 Occgce32.exe -
Loads dropped DLL 64 IoCs
pid Process 1696 ef14efba0b910d439b57baa37f3f5d70N.exe 1696 ef14efba0b910d439b57baa37f3f5d70N.exe 1852 Kqaigijk.exe 1852 Kqaigijk.exe 2496 Lkgmdbja.exe 2496 Lkgmdbja.exe 2784 Lnejqmie.exe 2784 Lnejqmie.exe 2580 Ldpbmg32.exe 2580 Ldpbmg32.exe 2948 Lcbbidgl.exe 2948 Lcbbidgl.exe 2688 Lnhffm32.exe 2688 Lnhffm32.exe 2172 Loicnemp.exe 2172 Loicnemp.exe 2812 Lfckko32.exe 2812 Lfckko32.exe 2024 Liaggk32.exe 2024 Liaggk32.exe 2972 Lqiohh32.exe 2972 Lqiohh32.exe 2984 Lbjlppja.exe 2984 Lbjlppja.exe 2932 Lfehpobj.exe 2932 Lfehpobj.exe 3068 Lkbphfab.exe 3068 Lkbphfab.exe 1288 Lfhdeoqh.exe 1288 Lfhdeoqh.exe 2308 Lifqbjpk.exe 2308 Lifqbjpk.exe 1984 Lkdmneoo.exe 1984 Lkdmneoo.exe 3036 Mncijanc.exe 3036 Mncijanc.exe 2116 Mihngj32.exe 2116 Mihngj32.exe 1448 Mlgjce32.exe 1448 Mlgjce32.exe 328 Mbabpodi.exe 328 Mbabpodi.exe 1940 Meonlkcm.exe 1940 Meonlkcm.exe 2324 Mlifie32.exe 2324 Mlifie32.exe 340 Mnhbep32.exe 340 Mnhbep32.exe 3048 Mcdkmg32.exe 3048 Mcdkmg32.exe 676 Mhpgnfpn.exe 676 Mhpgnfpn.exe 1608 Mjocja32.exe 1608 Mjocja32.exe 1284 Mahlgkgo.exe 1284 Mahlgkgo.exe 2684 Medggj32.exe 2684 Medggj32.exe 2700 Mnllppfh.exe 2700 Mnllppfh.exe 2900 Makhlkel.exe 2900 Makhlkel.exe 2892 Mdidhfdp.exe 2892 Mdidhfdp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nbehjb32.exe Nhpcmi32.exe File opened for modification C:\Windows\SysWOW64\Pfmclold.exe Pockoeeg.exe File created C:\Windows\SysWOW64\Bojmogak.exe Aipebm32.exe File created C:\Windows\SysWOW64\Qogiamoa.dll Daibfa32.exe File created C:\Windows\SysWOW64\Gglimm32.exe Genmab32.exe File opened for modification C:\Windows\SysWOW64\Jedlph32.exe Jbfpcl32.exe File created C:\Windows\SysWOW64\Ekcpdi32.exe Eghcckld.exe File opened for modification C:\Windows\SysWOW64\Iopqoi32.exe Ifhinl32.exe File created C:\Windows\SysWOW64\Cjliihgg.dll Liaggk32.exe File created C:\Windows\SysWOW64\Jmepmj32.dll Mihngj32.exe File created C:\Windows\SysWOW64\Kjeemh32.dll Meonlkcm.exe File created C:\Windows\SysWOW64\Pdpcgl32.exe Pfmclold.exe File opened for modification C:\Windows\SysWOW64\Hfkidh32.exe Hcmmhmhd.exe File created C:\Windows\SysWOW64\Hllpfdfe.dll Kjbqei32.exe File created C:\Windows\SysWOW64\Dcndam32.dll Kpliac32.exe File opened for modification C:\Windows\SysWOW64\Hfiloiik.exe Hbmpoj32.exe File created C:\Windows\SysWOW64\Ijfadkbm.exe Ifkecl32.exe File created C:\Windows\SysWOW64\Jjjdhcie.dll Qgqlig32.exe File created C:\Windows\SysWOW64\Ajhkka32.exe Afmokbop.exe File created C:\Windows\SysWOW64\Gdlqhjom.dll Dmimkc32.exe File created C:\Windows\SysWOW64\Edenlp32.exe Edenlp32.exe File created C:\Windows\SysWOW64\Fdldmokn.exe Famhqclj.exe File created C:\Windows\SysWOW64\Dekfjd32.dll Jmigke32.exe File created C:\Windows\SysWOW64\Amidmldj.exe Ainhln32.exe File opened for modification C:\Windows\SysWOW64\Bapcaocc.exe Bnagecdp.exe File created C:\Windows\SysWOW64\Memghn32.dll Gnkkeg32.exe File created C:\Windows\SysWOW64\Iiopce32.dll Iopqoi32.exe File opened for modification C:\Windows\SysWOW64\Kjdmjiae.exe Kfiajj32.exe File opened for modification C:\Windows\SysWOW64\Lkdmneoo.exe Lifqbjpk.exe File opened for modification C:\Windows\SysWOW64\Bnmmjd32.exe Bojmogak.exe File created C:\Windows\SysWOW64\Fnfekdpl.exe Ffomjgoj.exe File opened for modification C:\Windows\SysWOW64\Dcmkciap.exe Ddjkhl32.exe File created C:\Windows\SysWOW64\Ekofijic.exe Ellfmm32.exe File created C:\Windows\SysWOW64\Kkkgnmqb.exe Khlkba32.exe File created C:\Windows\SysWOW64\Ogqpjd32.exe Ocedieek.exe File opened for modification C:\Windows\SysWOW64\Ainhln32.exe Abcppcdc.exe File created C:\Windows\SysWOW64\Gqenfc32.exe Gbbnkfjq.exe File created C:\Windows\SysWOW64\Kofdia32.dll Lkbphfab.exe File created C:\Windows\SysWOW64\Oakdkn32.exe Obhdpaqm.exe File created C:\Windows\SysWOW64\Ehnmgo32.exe Eikmkbeg.exe File created C:\Windows\SysWOW64\Eafapd32.exe Eccadhkh.exe File opened for modification C:\Windows\SysWOW64\Janijh32.exe Jckiolgm.exe File opened for modification C:\Windows\SysWOW64\Kkkgnmqb.exe Khlkba32.exe File created C:\Windows\SysWOW64\Kinbbi32.dll Mheqie32.exe File created C:\Windows\SysWOW64\Knjclp32.dll Oaaklmao.exe File created C:\Windows\SysWOW64\Pehiqp32.exe Pcjmdd32.exe File created C:\Windows\SysWOW64\Eghcckld.exe Ediggoma.exe File created C:\Windows\SysWOW64\Epgpci32.dll Hfiloiik.exe File created C:\Windows\SysWOW64\Namjglek.dll Hllkhoaj.exe File created C:\Windows\SysWOW64\Bencfl32.dll Makhlkel.exe File created C:\Windows\SysWOW64\Anonqq32.exe Ajcbpbkn.exe File created C:\Windows\SysWOW64\Cokaco32.dll Cplfcj32.exe File opened for modification C:\Windows\SysWOW64\Fdnabo32.exe Fqbeapqb.exe File created C:\Windows\SysWOW64\Jmmloeec.dll Fiepga32.exe File created C:\Windows\SysWOW64\Jbfpcl32.exe Jokccnci.exe File created C:\Windows\SysWOW64\Pcljjd32.exe Pkebig32.exe File created C:\Windows\SysWOW64\Aggbif32.exe Aqnjml32.exe File created C:\Windows\SysWOW64\Febnfe32.dll Dkmmdg32.exe File created C:\Windows\SysWOW64\Eikmkbeg.exe Eepakc32.exe File created C:\Windows\SysWOW64\Dlgaokci.dll Ipcjlaqd.exe File opened for modification C:\Windows\SysWOW64\Jebojh32.exe Jfoookfn.exe File created C:\Windows\SysWOW64\Qnkdeagl.exe Qgqlig32.exe File created C:\Windows\SysWOW64\Eklicjkf.exe Ehnmgo32.exe File created C:\Windows\SysWOW64\Lqiohh32.exe Liaggk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4244 4200 WerFault.exe 408 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqiohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhejf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klqmaebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhfhaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlppja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaklmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnagecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbeapqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcppcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmimkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialpfeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqmgbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimpppoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiolfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlqao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomoohoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlokdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfpcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaonfncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponadfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnkdeagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anonqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglhcihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbnkfjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coofoghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedjfchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ediggoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghcckld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhjok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhdeoqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncijanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odknmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocedieek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcingnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkoeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipefba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfoookfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqlgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodfilko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llefld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbphfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oglfodai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekffp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamfloef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhedachg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phibbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafeaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folknlae.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjhgjdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clecnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfckko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmepmj32.dll" Mihngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oocqan32.dll" Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihn32.dll" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkahndkb.dll" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Londmb32.dll" Eklicjkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjmeinn.dll" Ldpbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdmneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleeofog.dll" Odbcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbfqfppe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhgcd32.dll" Depelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkflii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmcqp32.dll" Goadik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnpbgjma.dll" Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhlilip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihngj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgnpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Capopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkmnqdme.dll" Dfaachpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbliiipi.dll" Kkkgnmqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filfpd32.dll" Odknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffaqla32.dll" Ogqpjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgoff32.dll" Fkaomm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmiimabd.dll" Anjqdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Didgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepakc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhlilip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgedkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbhjbd.dll" Mnhbep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiepga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdlplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cliaeofi.dll" Lifqbjpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefbbmbg.dll" Pcjmdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggbif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bencfl32.dll" Makhlkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bclbhkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kckeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcndam32.dll" Kckeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilohnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqaigijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfckko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgjpijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibkj32.dll" Fccncknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hleegpgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omaepoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phegmipo.dll" Pekffp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcnihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caapeidl.dll" Doclijgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnmaka32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1852 1696 ef14efba0b910d439b57baa37f3f5d70N.exe 29 PID 1696 wrote to memory of 1852 1696 ef14efba0b910d439b57baa37f3f5d70N.exe 29 PID 1696 wrote to memory of 1852 1696 ef14efba0b910d439b57baa37f3f5d70N.exe 29 PID 1696 wrote to memory of 1852 1696 ef14efba0b910d439b57baa37f3f5d70N.exe 29 PID 1852 wrote to memory of 2496 1852 Kqaigijk.exe 30 PID 1852 wrote to memory of 2496 1852 Kqaigijk.exe 30 PID 1852 wrote to memory of 2496 1852 Kqaigijk.exe 30 PID 1852 wrote to memory of 2496 1852 Kqaigijk.exe 30 PID 2496 wrote to memory of 2784 2496 Lkgmdbja.exe 31 PID 2496 wrote to memory of 2784 2496 Lkgmdbja.exe 31 PID 2496 wrote to memory of 2784 2496 Lkgmdbja.exe 31 PID 2496 wrote to memory of 2784 2496 Lkgmdbja.exe 31 PID 2784 wrote to memory of 2580 2784 Lnejqmie.exe 32 PID 2784 wrote to memory of 2580 2784 Lnejqmie.exe 32 PID 2784 wrote to memory of 2580 2784 Lnejqmie.exe 32 PID 2784 wrote to memory of 2580 2784 Lnejqmie.exe 32 PID 2580 wrote to memory of 2948 2580 Ldpbmg32.exe 33 PID 2580 wrote to memory of 2948 2580 Ldpbmg32.exe 33 PID 2580 wrote to memory of 2948 2580 Ldpbmg32.exe 33 PID 2580 wrote to memory of 2948 2580 Ldpbmg32.exe 33 PID 2948 wrote to memory of 2688 2948 Lcbbidgl.exe 34 PID 2948 wrote to memory of 2688 2948 Lcbbidgl.exe 34 PID 2948 wrote to memory of 2688 2948 Lcbbidgl.exe 34 PID 2948 wrote to memory of 2688 2948 Lcbbidgl.exe 34 PID 2688 wrote to memory of 2172 2688 Lnhffm32.exe 35 PID 2688 wrote to memory of 2172 2688 Lnhffm32.exe 35 PID 2688 wrote to memory of 2172 2688 Lnhffm32.exe 35 PID 2688 wrote to memory of 2172 2688 Lnhffm32.exe 35 PID 2172 wrote to memory of 2812 2172 Loicnemp.exe 36 PID 2172 wrote to memory of 2812 2172 Loicnemp.exe 36 PID 2172 wrote to memory of 2812 2172 Loicnemp.exe 36 PID 2172 wrote to memory of 2812 2172 Loicnemp.exe 36 PID 2812 wrote to memory of 2024 2812 Lfckko32.exe 37 PID 2812 wrote to memory of 2024 2812 Lfckko32.exe 37 PID 2812 wrote to memory of 2024 2812 Lfckko32.exe 37 PID 2812 wrote to memory of 2024 2812 Lfckko32.exe 37 PID 2024 wrote to memory of 2972 2024 Liaggk32.exe 38 PID 2024 wrote to memory of 2972 2024 Liaggk32.exe 38 PID 2024 wrote to memory of 2972 2024 Liaggk32.exe 38 PID 2024 wrote to memory of 2972 2024 Liaggk32.exe 38 PID 2972 wrote to memory of 2984 2972 Lqiohh32.exe 39 PID 2972 wrote to memory of 2984 2972 Lqiohh32.exe 39 PID 2972 wrote to memory of 2984 2972 Lqiohh32.exe 39 PID 2972 wrote to memory of 2984 2972 Lqiohh32.exe 39 PID 2984 wrote to memory of 2932 2984 Lbjlppja.exe 40 PID 2984 wrote to memory of 2932 2984 Lbjlppja.exe 40 PID 2984 wrote to memory of 2932 2984 Lbjlppja.exe 40 PID 2984 wrote to memory of 2932 2984 Lbjlppja.exe 40 PID 2932 wrote to memory of 3068 2932 Lfehpobj.exe 41 PID 2932 wrote to memory of 3068 2932 Lfehpobj.exe 41 PID 2932 wrote to memory of 3068 2932 Lfehpobj.exe 41 PID 2932 wrote to memory of 3068 2932 Lfehpobj.exe 41 PID 3068 wrote to memory of 1288 3068 Lkbphfab.exe 42 PID 3068 wrote to memory of 1288 3068 Lkbphfab.exe 42 PID 3068 wrote to memory of 1288 3068 Lkbphfab.exe 42 PID 3068 wrote to memory of 1288 3068 Lkbphfab.exe 42 PID 1288 wrote to memory of 2308 1288 Lfhdeoqh.exe 43 PID 1288 wrote to memory of 2308 1288 Lfhdeoqh.exe 43 PID 1288 wrote to memory of 2308 1288 Lfhdeoqh.exe 43 PID 1288 wrote to memory of 2308 1288 Lfhdeoqh.exe 43 PID 2308 wrote to memory of 1984 2308 Lifqbjpk.exe 44 PID 2308 wrote to memory of 1984 2308 Lifqbjpk.exe 44 PID 2308 wrote to memory of 1984 2308 Lifqbjpk.exe 44 PID 2308 wrote to memory of 1984 2308 Lifqbjpk.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef14efba0b910d439b57baa37f3f5d70N.exe"C:\Users\Admin\AppData\Local\Temp\ef14efba0b910d439b57baa37f3f5d70N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Kqaigijk.exeC:\Windows\system32\Kqaigijk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Lkgmdbja.exeC:\Windows\system32\Lkgmdbja.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Lnejqmie.exeC:\Windows\system32\Lnejqmie.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ldpbmg32.exeC:\Windows\system32\Ldpbmg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Lcbbidgl.exeC:\Windows\system32\Lcbbidgl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Lnhffm32.exeC:\Windows\system32\Lnhffm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Loicnemp.exeC:\Windows\system32\Loicnemp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Lfckko32.exeC:\Windows\system32\Lfckko32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Liaggk32.exeC:\Windows\system32\Liaggk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Lqiohh32.exeC:\Windows\system32\Lqiohh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Lbjlppja.exeC:\Windows\system32\Lbjlppja.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Lfehpobj.exeC:\Windows\system32\Lfehpobj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Lfhdeoqh.exeC:\Windows\system32\Lfhdeoqh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Lifqbjpk.exeC:\Windows\system32\Lifqbjpk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Lkdmneoo.exeC:\Windows\system32\Lkdmneoo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Mihngj32.exeC:\Windows\system32\Mihngj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Mlgjce32.exeC:\Windows\system32\Mlgjce32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Mbabpodi.exeC:\Windows\system32\Mbabpodi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Meonlkcm.exeC:\Windows\system32\Meonlkcm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Mlifie32.exeC:\Windows\system32\Mlifie32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Mnhbep32.exeC:\Windows\system32\Mnhbep32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Mcdkmg32.exeC:\Windows\system32\Mcdkmg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Mhpgnfpn.exeC:\Windows\system32\Mhpgnfpn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Mjocja32.exeC:\Windows\system32\Mjocja32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Mahlgkgo.exeC:\Windows\system32\Mahlgkgo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Makhlkel.exeC:\Windows\system32\Makhlkel.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Mheqie32.exeC:\Windows\system32\Mheqie32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Nfgadbcc.exeC:\Windows\system32\Nfgadbcc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Nmaialjp.exeC:\Windows\system32\Nmaialjp.exe35⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Namebk32.exeC:\Windows\system32\Namebk32.exe36⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nfjnja32.exeC:\Windows\system32\Nfjnja32.exe37⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe38⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nbqnobge.exeC:\Windows\system32\Nbqnobge.exe39⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe41⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Nogodcli.exeC:\Windows\system32\Nogodcli.exe42⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Nfogeamk.exeC:\Windows\system32\Nfogeamk.exe43⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Nhpcmi32.exeC:\Windows\system32\Nhpcmi32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Nbehjb32.exeC:\Windows\system32\Nbehjb32.exe45⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Neddfm32.exeC:\Windows\system32\Neddfm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe50⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe51⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe52⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe54⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe57⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Oglfodai.exeC:\Windows\system32\Oglfodai.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe61⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe62⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Odpghiqc.exeC:\Windows\system32\Odpghiqc.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe65⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe66⤵PID:2388
-
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe67⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe68⤵PID:2764
-
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe69⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Ogqpjd32.exeC:\Windows\system32\Ogqpjd32.exe71⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe73⤵PID:2876
-
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe75⤵PID:2488
-
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe76⤵PID:2072
-
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe77⤵PID:2952
-
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe78⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe82⤵PID:1248
-
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe83⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe84⤵PID:2152
-
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe87⤵PID:2868
-
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe88⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe90⤵PID:2928
-
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe91⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe92⤵PID:2960
-
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe93⤵PID:2296
-
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe94⤵PID:1500
-
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe95⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe97⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe98⤵PID:3056
-
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe101⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe102⤵PID:2256
-
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe103⤵PID:1792
-
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe104⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe106⤵
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe108⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe109⤵PID:1468
-
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe110⤵PID:2192
-
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe111⤵PID:1956
-
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe112⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe113⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe114⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe115⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Acqpdgni.exeC:\Windows\system32\Acqpdgni.exe116⤵PID:2980
-
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe118⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Amidmldj.exeC:\Windows\system32\Amidmldj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe120⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Anjqdd32.exeC:\Windows\system32\Anjqdd32.exe121⤵
- Modifies registry class
PID:1884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-