Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
60s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 07:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f93354ce6aebf2f950e1e4b21f8e6f20N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f93354ce6aebf2f950e1e4b21f8e6f20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f93354ce6aebf2f950e1e4b21f8e6f20N.exe
-
Size
227KB
-
MD5
f93354ce6aebf2f950e1e4b21f8e6f20
-
SHA1
f19c9eac8b4a9f17e5b855c89aada10b12193760
-
SHA256
67692d9f0d61a1102a50e732591ee7ae06f3013600d974ee5957488ef9151d7d
-
SHA512
ba96c659f9b695f46f0ea2c8465dd26056dfac00557778401ed138b07edab3d7be48ab3d0aa2d950f01db6a5b6bfceaf4214cea9ada53e5f46a7ca8a573b4c4b
-
SSDEEP
3072:m7t/agRyyaM27eY+yeyApwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:mogAyaMZpJqm7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpkbfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accobock.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomlmpgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqnidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Depgeiag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nihedodm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcohlce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jakhckdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olfnpnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhnnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjldbiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmfpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djmpmppn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhmijn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfjpnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnicgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlkcjadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgdealm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfnkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqomqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Celnjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjocaaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqnidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njnkggfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjocaaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faegda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfaodclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmdhpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgmogcpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkiaihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggffocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okmena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plfhfiqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefnjdgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpadek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agngqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nelgkhdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfnncb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolingnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgngokp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgggf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbicmfqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqomqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhcmkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkgmkbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icenedep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqcmkjje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfoinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npgngokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pplcabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adagjagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilggal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikaglgei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphhobmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjppclkp.exe -
Executes dropped EXE 64 IoCs
pid Process 2456 Kfiajj32.exe 2196 Koafcppm.exe 2748 Lfpgkicd.exe 2780 Lqleqg32.exe 2576 Mocogc32.exe 2652 Milcphgf.exe 2516 Megmpi32.exe 2088 Nelgkhdp.exe 2420 Nhombc32.exe 956 Ofgfio32.exe 2856 Oodhca32.exe 2044 Olhhmele.exe 2908 Okmena32.exe 2364 Plfhfiqc.exe 2592 Qjleem32.exe 1372 Qcdinbdk.exe 2096 Aopcnbfj.exe 1780 Ahhhgh32.exe 1376 Aqcmkjje.exe 236 Acdemegf.exe 2296 Bmogkkkd.exe 3016 Bfgkdp32.exe 1232 Bpdihedp.exe 2480 Cgbjbgph.exe 1184 Cpbiaiin.exe 2168 Dfnncb32.exe 2756 Dlmcaijm.exe 2840 Deegjo32.exe 2704 Dmcidqlf.exe 2532 Dglmmf32.exe 2968 Epfnkk32.exe 1728 Eiocdand.exe 880 Eonhbg32.exe 1536 Elahkl32.exe 908 Fkgemh32.exe 768 Fnhnnc32.exe 2948 Fhmblljb.exe 1336 Faegda32.exe 1548 Fqkdenfj.exe 2136 Fkphcg32.exe 2508 Gggihhkd.exe 604 Gqomqm32.exe 1600 Gmfnen32.exe 924 Gfobndnj.exe 2000 Gfaodclg.exe 668 Gnldhf32.exe 2896 Hgdhakpb.exe 2924 Hidekn32.exe 2300 Hblidd32.exe 2972 Hjgnhf32.exe 2380 Hjjknfin.exe 2660 Hgnkgjgh.exe 2768 Ibglhhdf.exe 2596 Immqeq32.exe 2564 Iidajaiq.exe 2976 Ipnigl32.exe 1448 Ildjlmfb.exe 1516 Ilggal32.exe 2832 Ieokjbkp.exe 1576 Jjldbiig.exe 1396 Jeahpa32.exe 2256 Jmmmdd32.exe 1092 Jolingnk.exe 2520 Jpnffoci.exe -
Loads dropped DLL 64 IoCs
pid Process 2028 f93354ce6aebf2f950e1e4b21f8e6f20N.exe 2028 f93354ce6aebf2f950e1e4b21f8e6f20N.exe 2456 Kfiajj32.exe 2456 Kfiajj32.exe 2196 Koafcppm.exe 2196 Koafcppm.exe 2748 Lfpgkicd.exe 2748 Lfpgkicd.exe 2780 Lqleqg32.exe 2780 Lqleqg32.exe 2576 Mocogc32.exe 2576 Mocogc32.exe 2652 Milcphgf.exe 2652 Milcphgf.exe 2516 Megmpi32.exe 2516 Megmpi32.exe 2088 Nelgkhdp.exe 2088 Nelgkhdp.exe 2420 Nhombc32.exe 2420 Nhombc32.exe 956 Ofgfio32.exe 956 Ofgfio32.exe 2856 Oodhca32.exe 2856 Oodhca32.exe 2044 Olhhmele.exe 2044 Olhhmele.exe 2908 Okmena32.exe 2908 Okmena32.exe 2364 Plfhfiqc.exe 2364 Plfhfiqc.exe 2592 Qjleem32.exe 2592 Qjleem32.exe 1372 Qcdinbdk.exe 1372 Qcdinbdk.exe 2096 Aopcnbfj.exe 2096 Aopcnbfj.exe 1780 Ahhhgh32.exe 1780 Ahhhgh32.exe 1376 Aqcmkjje.exe 1376 Aqcmkjje.exe 236 Acdemegf.exe 236 Acdemegf.exe 2296 Bmogkkkd.exe 2296 Bmogkkkd.exe 3016 Bfgkdp32.exe 3016 Bfgkdp32.exe 1232 Bpdihedp.exe 1232 Bpdihedp.exe 2480 Cgbjbgph.exe 2480 Cgbjbgph.exe 1184 Cpbiaiin.exe 1184 Cpbiaiin.exe 2168 Dfnncb32.exe 2168 Dfnncb32.exe 2756 Dlmcaijm.exe 2756 Dlmcaijm.exe 2840 Deegjo32.exe 2840 Deegjo32.exe 2704 Dmcidqlf.exe 2704 Dmcidqlf.exe 2532 Dglmmf32.exe 2532 Dglmmf32.exe 2968 Epfnkk32.exe 2968 Epfnkk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ofdhpj32.dll Bpmajb32.exe File created C:\Windows\SysWOW64\Onadck32.exe Oamcjgmi.exe File created C:\Windows\SysWOW64\Faapbk32.exe Fifkni32.exe File opened for modification C:\Windows\SysWOW64\Cpbiaiin.exe Cgbjbgph.exe File created C:\Windows\SysWOW64\Ipnigl32.exe Iidajaiq.exe File opened for modification C:\Windows\SysWOW64\Fifkni32.exe Fpngec32.exe File created C:\Windows\SysWOW64\Ildjlmfb.exe Ipnigl32.exe File created C:\Windows\SysWOW64\Apcfqd32.exe Acoegp32.exe File opened for modification C:\Windows\SysWOW64\Opempcpn.exe Odnmkb32.exe File created C:\Windows\SysWOW64\Aghdboal.exe Albpef32.exe File created C:\Windows\SysWOW64\Qddkie32.dll Fkgemh32.exe File created C:\Windows\SysWOW64\Gqomqm32.exe Gggihhkd.exe File opened for modification C:\Windows\SysWOW64\Bfgkdp32.exe Bmogkkkd.exe File created C:\Windows\SysWOW64\Dnlafm32.exe Dioinf32.exe File opened for modification C:\Windows\SysWOW64\Ikaglgei.exe Ijbjbdnf.exe File created C:\Windows\SysWOW64\Gfaodclg.exe Gfobndnj.exe File opened for modification C:\Windows\SysWOW64\Odnmkb32.exe Onadck32.exe File opened for modification C:\Windows\SysWOW64\Bflghh32.exe Bhhfnd32.exe File created C:\Windows\SysWOW64\Dmfkcf32.exe Cgicko32.exe File opened for modification C:\Windows\SysWOW64\Fhmblljb.exe Fnhnnc32.exe File created C:\Windows\SysWOW64\Dbijfbdg.dll Jhhcpkmh.exe File opened for modification C:\Windows\SysWOW64\Aaobcg32.exe Ahfmjafa.exe File opened for modification C:\Windows\SysWOW64\Hgjdecca.exe Hnapln32.exe File created C:\Windows\SysWOW64\Dfdbpl32.dll Hkgmkbih.exe File opened for modification C:\Windows\SysWOW64\Onmkhlph.exe Nedfofig.exe File created C:\Windows\SysWOW64\Bajdme32.dll Pfcohlce.exe File created C:\Windows\SysWOW64\Iiimnjmp.exe Iboeap32.exe File created C:\Windows\SysWOW64\Fmlpmddp.dll Mncdhc32.exe File created C:\Windows\SysWOW64\Ljecnh32.dll Lfpgkicd.exe File opened for modification C:\Windows\SysWOW64\Djmpmppn.exe Depgeiag.exe File created C:\Windows\SysWOW64\Hmqjoljn.exe Hdeekjmc.exe File created C:\Windows\SysWOW64\Mcbjfjnp.exe Mlhaip32.exe File opened for modification C:\Windows\SysWOW64\Olfnpnfl.exe Ofiegggd.exe File opened for modification C:\Windows\SysWOW64\Feoihi32.exe Faapbk32.exe File created C:\Windows\SysWOW64\Gckcpl32.dll Hdikch32.exe File created C:\Windows\SysWOW64\Gggihhkd.exe Fkphcg32.exe File created C:\Windows\SysWOW64\Jmafocbb.exe Jpnffoci.exe File created C:\Windows\SysWOW64\Ebjpqc32.dll Eohhmbjc.exe File created C:\Windows\SysWOW64\Nikefh32.dll Iajfin32.exe File created C:\Windows\SysWOW64\Kphbom32.exe Kfpmfgpn.exe File created C:\Windows\SysWOW64\Eimcoh32.dll Cqmnie32.exe File created C:\Windows\SysWOW64\Jjldbiig.exe Ieokjbkp.exe File created C:\Windows\SysWOW64\Pfcohlce.exe Pipnohdl.exe File created C:\Windows\SysWOW64\Njlnbg32.exe Nihedodm.exe File opened for modification C:\Windows\SysWOW64\Dfoplkel.exe Dmfkcf32.exe File created C:\Windows\SysWOW64\Hdikch32.exe Holcka32.exe File created C:\Windows\SysWOW64\Mhbagmmf.dll Nhombc32.exe File created C:\Windows\SysWOW64\Jqogiafk.dll Colhlcig.exe File created C:\Windows\SysWOW64\Jopogefh.exe Jegknp32.exe File created C:\Windows\SysWOW64\Jkjfpe32.exe Jepnck32.exe File created C:\Windows\SysWOW64\Jcggjg32.exe Jjocaaoh.exe File created C:\Windows\SysWOW64\Jppedg32.exe Jfhpkbbj.exe File created C:\Windows\SysWOW64\Bmogkkkd.exe Acdemegf.exe File created C:\Windows\SysWOW64\Hdeekjmc.exe Gqgmdkgm.exe File created C:\Windows\SysWOW64\Fenehh32.dll Enedml32.exe File created C:\Windows\SysWOW64\Gcebfqbd.exe Ghpnihbo.exe File created C:\Windows\SysWOW64\Hgjdecca.exe Hnapln32.exe File opened for modification C:\Windows\SysWOW64\Mocogc32.exe Lqleqg32.exe File opened for modification C:\Windows\SysWOW64\Bbilclhb.exe Bllcke32.exe File created C:\Windows\SysWOW64\Benifg32.dll Oijnib32.exe File created C:\Windows\SysWOW64\Abieajgi.exe Alpmep32.exe File created C:\Windows\SysWOW64\Blfodb32.exe Bflghh32.exe File created C:\Windows\SysWOW64\Kbppdi32.dll Gqepolio.exe File created C:\Windows\SysWOW64\Hjdkhpih.exe Hmqjoljn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3696 3620 WerFault.exe 315 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfcohlce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qadfiiil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfjpnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adagjagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqdeciho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgllndq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdihedp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqomqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqeoegfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgdealm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggldlpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhhgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhcpkmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgggf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elahkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoinj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efcefndb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqleqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpnihbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdinbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocdand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmkhlph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocmhnlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekohac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmqjoljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjleem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjfko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjocaaoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmijn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oieencik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpqec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaegbnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqepolio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeahpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabnokkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkdldhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onadck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfaodclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldcblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgjmipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmjafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdemegf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkmkoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplcabif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghhoej32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbpomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oieencik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhadob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkgmkbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmfkcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdikch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjleem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogomh32.dll" Jmafocbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgkiaihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlkcjadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chmpicbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhkhhhg.dll" Feoihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ildjlmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpdide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbdfakp.dll" Kefnjdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbafhael.dll" Oamcjgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kobhkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbicmfqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfobopb.dll" Jopogefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpadek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgdle32.dll" Mgkiaihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgnkgjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdoahp32.dll" Eempcfbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcllkkp.dll" Fogmaoib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhombc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmogkkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbijfbdg.dll" Jhhcpkmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adagjagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jepnck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fipenn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkmbliip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceokjimn.dll" Jjocaaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jakhckdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oodhca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhmblljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfmbm32.dll" Nfhcmkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgjcj32.dll" Bdnnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gibadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjmjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiaagm32.dll" Jpnffoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aplppela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijjlggd.dll" Ikaglgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpejc32.dll" Fpngec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbagmmf.dll" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onadck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feoihi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmmmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhohkd32.dll" Icenedep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Megmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfibc32.dll" Jjkmhbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpinlpk.dll" Npgngokp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbgggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpncdfkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djmpmppn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqjcoo32.dll" Ldcjooac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olhhmele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiocdand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Minika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fogmaoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmafocbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alikdf32.dll" Emkanhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dglmmf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2456 2028 f93354ce6aebf2f950e1e4b21f8e6f20N.exe 29 PID 2028 wrote to memory of 2456 2028 f93354ce6aebf2f950e1e4b21f8e6f20N.exe 29 PID 2028 wrote to memory of 2456 2028 f93354ce6aebf2f950e1e4b21f8e6f20N.exe 29 PID 2028 wrote to memory of 2456 2028 f93354ce6aebf2f950e1e4b21f8e6f20N.exe 29 PID 2456 wrote to memory of 2196 2456 Kfiajj32.exe 30 PID 2456 wrote to memory of 2196 2456 Kfiajj32.exe 30 PID 2456 wrote to memory of 2196 2456 Kfiajj32.exe 30 PID 2456 wrote to memory of 2196 2456 Kfiajj32.exe 30 PID 2196 wrote to memory of 2748 2196 Koafcppm.exe 31 PID 2196 wrote to memory of 2748 2196 Koafcppm.exe 31 PID 2196 wrote to memory of 2748 2196 Koafcppm.exe 31 PID 2196 wrote to memory of 2748 2196 Koafcppm.exe 31 PID 2748 wrote to memory of 2780 2748 Lfpgkicd.exe 32 PID 2748 wrote to memory of 2780 2748 Lfpgkicd.exe 32 PID 2748 wrote to memory of 2780 2748 Lfpgkicd.exe 32 PID 2748 wrote to memory of 2780 2748 Lfpgkicd.exe 32 PID 2780 wrote to memory of 2576 2780 Lqleqg32.exe 33 PID 2780 wrote to memory of 2576 2780 Lqleqg32.exe 33 PID 2780 wrote to memory of 2576 2780 Lqleqg32.exe 33 PID 2780 wrote to memory of 2576 2780 Lqleqg32.exe 33 PID 2576 wrote to memory of 2652 2576 Mocogc32.exe 34 PID 2576 wrote to memory of 2652 2576 Mocogc32.exe 34 PID 2576 wrote to memory of 2652 2576 Mocogc32.exe 34 PID 2576 wrote to memory of 2652 2576 Mocogc32.exe 34 PID 2652 wrote to memory of 2516 2652 Milcphgf.exe 35 PID 2652 wrote to memory of 2516 2652 Milcphgf.exe 35 PID 2652 wrote to memory of 2516 2652 Milcphgf.exe 35 PID 2652 wrote to memory of 2516 2652 Milcphgf.exe 35 PID 2516 wrote to memory of 2088 2516 Megmpi32.exe 36 PID 2516 wrote to memory of 2088 2516 Megmpi32.exe 36 PID 2516 wrote to memory of 2088 2516 Megmpi32.exe 36 PID 2516 wrote to memory of 2088 2516 Megmpi32.exe 36 PID 2088 wrote to memory of 2420 2088 Nelgkhdp.exe 37 PID 2088 wrote to memory of 2420 2088 Nelgkhdp.exe 37 PID 2088 wrote to memory of 2420 2088 Nelgkhdp.exe 37 PID 2088 wrote to memory of 2420 2088 Nelgkhdp.exe 37 PID 2420 wrote to memory of 956 2420 Nhombc32.exe 38 PID 2420 wrote to memory of 956 2420 Nhombc32.exe 38 PID 2420 wrote to memory of 956 2420 Nhombc32.exe 38 PID 2420 wrote to memory of 956 2420 Nhombc32.exe 38 PID 956 wrote to memory of 2856 956 Ofgfio32.exe 39 PID 956 wrote to memory of 2856 956 Ofgfio32.exe 39 PID 956 wrote to memory of 2856 956 Ofgfio32.exe 39 PID 956 wrote to memory of 2856 956 Ofgfio32.exe 39 PID 2856 wrote to memory of 2044 2856 Oodhca32.exe 40 PID 2856 wrote to memory of 2044 2856 Oodhca32.exe 40 PID 2856 wrote to memory of 2044 2856 Oodhca32.exe 40 PID 2856 wrote to memory of 2044 2856 Oodhca32.exe 40 PID 2044 wrote to memory of 2908 2044 Olhhmele.exe 41 PID 2044 wrote to memory of 2908 2044 Olhhmele.exe 41 PID 2044 wrote to memory of 2908 2044 Olhhmele.exe 41 PID 2044 wrote to memory of 2908 2044 Olhhmele.exe 41 PID 2908 wrote to memory of 2364 2908 Okmena32.exe 42 PID 2908 wrote to memory of 2364 2908 Okmena32.exe 42 PID 2908 wrote to memory of 2364 2908 Okmena32.exe 42 PID 2908 wrote to memory of 2364 2908 Okmena32.exe 42 PID 2364 wrote to memory of 2592 2364 Plfhfiqc.exe 43 PID 2364 wrote to memory of 2592 2364 Plfhfiqc.exe 43 PID 2364 wrote to memory of 2592 2364 Plfhfiqc.exe 43 PID 2364 wrote to memory of 2592 2364 Plfhfiqc.exe 43 PID 2592 wrote to memory of 1372 2592 Qjleem32.exe 44 PID 2592 wrote to memory of 1372 2592 Qjleem32.exe 44 PID 2592 wrote to memory of 1372 2592 Qjleem32.exe 44 PID 2592 wrote to memory of 1372 2592 Qjleem32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f93354ce6aebf2f950e1e4b21f8e6f20N.exe"C:\Users\Admin\AppData\Local\Temp\f93354ce6aebf2f950e1e4b21f8e6f20N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kfiajj32.exeC:\Windows\system32\Kfiajj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Koafcppm.exeC:\Windows\system32\Koafcppm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Lfpgkicd.exeC:\Windows\system32\Lfpgkicd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Lqleqg32.exeC:\Windows\system32\Lqleqg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Mocogc32.exeC:\Windows\system32\Mocogc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Milcphgf.exeC:\Windows\system32\Milcphgf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Megmpi32.exeC:\Windows\system32\Megmpi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Nelgkhdp.exeC:\Windows\system32\Nelgkhdp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Nhombc32.exeC:\Windows\system32\Nhombc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ofgfio32.exeC:\Windows\system32\Ofgfio32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Olhhmele.exeC:\Windows\system32\Olhhmele.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Plfhfiqc.exeC:\Windows\system32\Plfhfiqc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Qjleem32.exeC:\Windows\system32\Qjleem32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Qcdinbdk.exeC:\Windows\system32\Qcdinbdk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Ahhhgh32.exeC:\Windows\system32\Ahhhgh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Bmogkkkd.exeC:\Windows\system32\Bmogkkkd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Bfgkdp32.exeC:\Windows\system32\Bfgkdp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Bpdihedp.exeC:\Windows\system32\Bpdihedp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Cgbjbgph.exeC:\Windows\system32\Cgbjbgph.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cpbiaiin.exeC:\Windows\system32\Cpbiaiin.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Dfnncb32.exeC:\Windows\system32\Dfnncb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Dlmcaijm.exeC:\Windows\system32\Dlmcaijm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Deegjo32.exeC:\Windows\system32\Deegjo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Dmcidqlf.exeC:\Windows\system32\Dmcidqlf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Dglmmf32.exeC:\Windows\system32\Dglmmf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Epfnkk32.exeC:\Windows\system32\Epfnkk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Eiocdand.exeC:\Windows\system32\Eiocdand.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Eonhbg32.exeC:\Windows\system32\Eonhbg32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Elahkl32.exeC:\Windows\system32\Elahkl32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Fnhnnc32.exeC:\Windows\system32\Fnhnnc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Fhmblljb.exeC:\Windows\system32\Fhmblljb.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Faegda32.exeC:\Windows\system32\Faegda32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Fqkdenfj.exeC:\Windows\system32\Fqkdenfj.exe40⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Gqomqm32.exeC:\Windows\system32\Gqomqm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Gmfnen32.exeC:\Windows\system32\Gmfnen32.exe44⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Gfobndnj.exeC:\Windows\system32\Gfobndnj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Gfaodclg.exeC:\Windows\system32\Gfaodclg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Gnldhf32.exeC:\Windows\system32\Gnldhf32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Hgdhakpb.exeC:\Windows\system32\Hgdhakpb.exe48⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hidekn32.exeC:\Windows\system32\Hidekn32.exe49⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Hblidd32.exeC:\Windows\system32\Hblidd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hjgnhf32.exeC:\Windows\system32\Hjgnhf32.exe51⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Hjjknfin.exeC:\Windows\system32\Hjjknfin.exe52⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Hgnkgjgh.exeC:\Windows\system32\Hgnkgjgh.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ibglhhdf.exeC:\Windows\system32\Ibglhhdf.exe54⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Immqeq32.exeC:\Windows\system32\Immqeq32.exe55⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Iidajaiq.exeC:\Windows\system32\Iidajaiq.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ipnigl32.exeC:\Windows\system32\Ipnigl32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Ildjlmfb.exeC:\Windows\system32\Ildjlmfb.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Ilggal32.exeC:\Windows\system32\Ilggal32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Ieokjbkp.exeC:\Windows\system32\Ieokjbkp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Jjldbiig.exeC:\Windows\system32\Jjldbiig.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Jeahpa32.exeC:\Windows\system32\Jeahpa32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Jmmmdd32.exeC:\Windows\system32\Jmmmdd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Jolingnk.exeC:\Windows\system32\Jolingnk.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jpnffoci.exeC:\Windows\system32\Jpnffoci.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Jmafocbb.exeC:\Windows\system32\Jmafocbb.exe66⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Jmdcecpp.exeC:\Windows\system32\Jmdcecpp.exe67⤵PID:1636
-
C:\Windows\SysWOW64\Jbqkmj32.exeC:\Windows\system32\Jbqkmj32.exe68⤵PID:1456
-
C:\Windows\SysWOW64\Kmfpjb32.exeC:\Windows\system32\Kmfpjb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Kgodchen.exeC:\Windows\system32\Kgodchen.exe70⤵PID:1764
-
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe71⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Kahedf32.exeC:\Windows\system32\Kahedf32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Klniao32.exeC:\Windows\system32\Klniao32.exe73⤵PID:2640
-
C:\Windows\SysWOW64\Kefnjdgc.exeC:\Windows\system32\Kefnjdgc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Kkcfbkfj.exeC:\Windows\system32\Kkcfbkfj.exe75⤵PID:2684
-
C:\Windows\SysWOW64\Llnepb32.exeC:\Windows\system32\Llnepb32.exe76⤵PID:2988
-
C:\Windows\SysWOW64\Lonoamqo.exeC:\Windows\system32\Lonoamqo.exe77⤵PID:1476
-
C:\Windows\SysWOW64\Mhfckc32.exeC:\Windows\system32\Mhfckc32.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Mfkcdgfi.exeC:\Windows\system32\Mfkcdgfi.exe79⤵PID:2232
-
C:\Windows\SysWOW64\Mkgllndq.exeC:\Windows\system32\Mkgllndq.exe80⤵
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Mdpqec32.exeC:\Windows\system32\Mdpqec32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Mgnmao32.exeC:\Windows\system32\Mgnmao32.exe82⤵PID:1356
-
C:\Windows\SysWOW64\Minika32.exeC:\Windows\system32\Minika32.exe83⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Mqinpd32.exeC:\Windows\system32\Mqinpd32.exe84⤵PID:2224
-
C:\Windows\SysWOW64\Mcgjlp32.exeC:\Windows\system32\Mcgjlp32.exe85⤵PID:1284
-
C:\Windows\SysWOW64\Nfhcmkkg.exeC:\Windows\system32\Nfhcmkkg.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Nqngkcjm.exeC:\Windows\system32\Nqngkcjm.exe87⤵PID:1016
-
C:\Windows\SysWOW64\Nmdhpd32.exeC:\Windows\system32\Nmdhpd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Nfmlhjfb.exeC:\Windows\system32\Nfmlhjfb.exe89⤵PID:3024
-
C:\Windows\SysWOW64\Nfoinj32.exeC:\Windows\system32\Nfoinj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Npgngokp.exeC:\Windows\system32\Npgngokp.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Nedfofig.exeC:\Windows\system32\Nedfofig.exe92⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Onmkhlph.exeC:\Windows\system32\Onmkhlph.exe93⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Ojckmm32.exeC:\Windows\system32\Ojckmm32.exe94⤵PID:2580
-
C:\Windows\SysWOW64\Oamcjgmi.exeC:\Windows\system32\Oamcjgmi.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Onadck32.exeC:\Windows\system32\Onadck32.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Odnmkb32.exeC:\Windows\system32\Odnmkb32.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Opempcpn.exeC:\Windows\system32\Opempcpn.exe98⤵PID:2828
-
C:\Windows\SysWOW64\Ojjanlod.exeC:\Windows\system32\Ojjanlod.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Pipnohdl.exeC:\Windows\system32\Pipnohdl.exe100⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Pfcohlce.exeC:\Windows\system32\Pfcohlce.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Pplcabif.exeC:\Windows\system32\Pplcabif.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Plbdfc32.exeC:\Windows\system32\Plbdfc32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Pekhohfk.exeC:\Windows\system32\Pekhohfk.exe104⤵PID:1072
-
C:\Windows\SysWOW64\Pocmhnlk.exeC:\Windows\system32\Pocmhnlk.exe105⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Plgmabke.exeC:\Windows\system32\Plgmabke.exe106⤵PID:2280
-
C:\Windows\SysWOW64\Qadfiiil.exeC:\Windows\system32\Qadfiiil.exe107⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Qganapgc.exeC:\Windows\system32\Qganapgc.exe108⤵PID:2844
-
C:\Windows\SysWOW64\Qpicjend.exeC:\Windows\system32\Qpicjend.exe109⤵PID:2560
-
C:\Windows\SysWOW64\Aiagck32.exeC:\Windows\system32\Aiagck32.exe110⤵PID:2716
-
C:\Windows\SysWOW64\Aplppela.exeC:\Windows\system32\Aplppela.exe111⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Albpef32.exeC:\Windows\system32\Albpef32.exe112⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Aghdboal.exeC:\Windows\system32\Aghdboal.exe113⤵PID:1288
-
C:\Windows\SysWOW64\Anbmoi32.exeC:\Windows\system32\Anbmoi32.exe114⤵PID:1556
-
C:\Windows\SysWOW64\Acoegp32.exeC:\Windows\system32\Acoegp32.exe115⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Apcfqd32.exeC:\Windows\system32\Apcfqd32.exe116⤵PID:2116
-
C:\Windows\SysWOW64\Ahnjefcd.exeC:\Windows\system32\Ahnjefcd.exe117⤵PID:2276
-
C:\Windows\SysWOW64\Accobock.exeC:\Windows\system32\Accobock.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Bllcke32.exeC:\Windows\system32\Bllcke32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Bbilclhb.exeC:\Windows\system32\Bbilclhb.exe120⤵PID:2208
-
C:\Windows\SysWOW64\Bomlmpgl.exeC:\Windows\system32\Bomlmpgl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-