Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 19:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe
-
Size
87KB
-
MD5
10a772a5534bbb0244f6a1455a46204f
-
SHA1
bfbe57382219103152099e316d002193f6058384
-
SHA256
118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf
-
SHA512
8b4409b257a25876ef9f46dd2ce3ed27739ebc58e35187da7e91f1b24dc6b9e5c4d68c2fc690fb4805138b9d443305db420e36b1de4bc90ca71d25486025f2af
-
SSDEEP
1536:NGI2QuzzniuCpMrHO2aeTVj7WIKKxHcaRQ45RSRBDNrR0RVe7R6R8RPD2zx:NGq2euBOZoj7nHNeEAnDlmbGcGFDex
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkimgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deanooeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnbgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khmmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnnkmdfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkcqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbnogjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngecbndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiimnjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjlonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgclfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjgfol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anepooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icohfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldajoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icjhpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njikba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdafkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lccdamop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecfiahe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdmmemih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djjlmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omodibcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gknjecab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfabbmeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlebeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edgmjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgdcqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opokbdhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmlpjhlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dioinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nejjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moqkgmol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kphbom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcidofcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icgkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anepooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoghnnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlcpqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njialh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bclnfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifjoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnmbafik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqffoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdipnjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onojfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bokapipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgfio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeldiolb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijacgnjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oclbok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbohblcg.exe -
Executes dropped EXE 64 IoCs
pid Process 2456 Lkomhp32.exe 2624 Lcjamb32.exe 2740 Mjgfol32.exe 2540 Mfngdmgb.exe 2984 Mbgdonkd.exe 2544 Mbiadm32.exe 2964 Nejjfh32.exe 2144 Njfbno32.exe 2416 Nhjcgccc.exe 1692 Nfbmnpfh.exe 2572 Ofgfio32.exe 972 Opokbdhc.exe 2912 Oijlpjma.exe 3048 Oaeqeljm.exe 2600 Ppmjkhma.exe 2436 Pkboiamh.exe 1016 Pcppbc32.exe 2320 Pcbmhb32.exe 668 Qecejnco.exe 2896 Akbkhd32.exe 304 Admlfida.exe 1992 Anepooja.exe 2280 Aqfiqjgb.exe 2208 Ajnnipnc.exe 2216 Bmogkkkd.exe 2728 Bkdclgpl.exe 2636 Bkfqbgni.exe 2568 Bkimgflg.exe 2644 Beaaplbg.exe 2604 Ckmfbf32.exe 760 Cnnpdaeb.exe 2976 Cpbiaiin.exe 2024 Deanooeb.exe 2472 Ecggmfde.exe 2852 Fkgemh32.exe 1460 Fdojendk.exe 1464 Fkibbh32.exe 2900 Fdafkm32.exe 2104 Fnjkdcii.exe 2316 Fknlmggc.exe 1372 Fcipaien.exe 1352 Glaejokn.exe 2276 Gobnljhp.exe 1852 Gjhbic32.exe 552 Gbcgne32.exe 1764 Gkkkgkla.exe 1504 Gddppp32.exe 1420 Gknhlj32.exe 1712 Hgdhakpb.exe 2660 Hehikpol.exe 2128 Hkbagjfi.exe 2532 Hekfpo32.exe 1476 Haafepbn.exe 2980 Hfnomgqe.exe 2712 Hadckp32.exe 1800 Hjlhcegl.exe 1748 Ipipllec.exe 556 Iiaddb32.exe 2908 Ibjing32.exe 2312 Ifhacfhj.exe 2056 Ihinkn32.exe 2116 Ifjoie32.exe 1780 Ilggal32.exe 2000 Ieokjbkp.exe -
Loads dropped DLL 64 IoCs
pid Process 1144 118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe 1144 118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe 2456 Lkomhp32.exe 2456 Lkomhp32.exe 2624 Lcjamb32.exe 2624 Lcjamb32.exe 2740 Mjgfol32.exe 2740 Mjgfol32.exe 2540 Mfngdmgb.exe 2540 Mfngdmgb.exe 2984 Mbgdonkd.exe 2984 Mbgdonkd.exe 2544 Mbiadm32.exe 2544 Mbiadm32.exe 2964 Nejjfh32.exe 2964 Nejjfh32.exe 2144 Njfbno32.exe 2144 Njfbno32.exe 2416 Nhjcgccc.exe 2416 Nhjcgccc.exe 1692 Nfbmnpfh.exe 1692 Nfbmnpfh.exe 2572 Ofgfio32.exe 2572 Ofgfio32.exe 972 Opokbdhc.exe 972 Opokbdhc.exe 2912 Oijlpjma.exe 2912 Oijlpjma.exe 3048 Oaeqeljm.exe 3048 Oaeqeljm.exe 2600 Ppmjkhma.exe 2600 Ppmjkhma.exe 2436 Pkboiamh.exe 2436 Pkboiamh.exe 1016 Pcppbc32.exe 1016 Pcppbc32.exe 2320 Pcbmhb32.exe 2320 Pcbmhb32.exe 668 Qecejnco.exe 668 Qecejnco.exe 2896 Akbkhd32.exe 2896 Akbkhd32.exe 304 Admlfida.exe 304 Admlfida.exe 1992 Anepooja.exe 1992 Anepooja.exe 2280 Aqfiqjgb.exe 2280 Aqfiqjgb.exe 2208 Ajnnipnc.exe 2208 Ajnnipnc.exe 2216 Bmogkkkd.exe 2216 Bmogkkkd.exe 2728 Bkdclgpl.exe 2728 Bkdclgpl.exe 2636 Bkfqbgni.exe 2636 Bkfqbgni.exe 2568 Bkimgflg.exe 2568 Bkimgflg.exe 2644 Beaaplbg.exe 2644 Beaaplbg.exe 2604 Ckmfbf32.exe 2604 Ckmfbf32.exe 760 Cnnpdaeb.exe 760 Cnnpdaeb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgccnc32.dll Ldcjooac.exe File created C:\Windows\SysWOW64\Hkccpb32.exe Holcka32.exe File created C:\Windows\SysWOW64\Lhbdnecd.dll Icenedep.exe File created C:\Windows\SysWOW64\Iijkfi32.dll Nclfpg32.exe File created C:\Windows\SysWOW64\Bmogkkkd.exe Ajnnipnc.exe File created C:\Windows\SysWOW64\Pejadefg.dll Pjgjmipf.exe File created C:\Windows\SysWOW64\Jandikbp.exe Jcidofcf.exe File opened for modification C:\Windows\SysWOW64\Lgcjmkcd.exe Lnkedemc.exe File opened for modification C:\Windows\SysWOW64\Cgjlonld.exe Cnbgfh32.exe File created C:\Windows\SysWOW64\Ipipllec.exe Hjlhcegl.exe File created C:\Windows\SysWOW64\Bdngpien.dll Ieokjbkp.exe File created C:\Windows\SysWOW64\Cdfpho32.dll Kgodchen.exe File created C:\Windows\SysWOW64\Aidfacjf.exe Abjnei32.exe File opened for modification C:\Windows\SysWOW64\Pjpdlj32.exe Peclcc32.exe File created C:\Windows\SysWOW64\Djjlmj32.exe Dmfkcf32.exe File created C:\Windows\SysWOW64\Heaean32.dll Immcnikq.exe File created C:\Windows\SysWOW64\Cnplhhdl.dll Olfnpnfl.exe File created C:\Windows\SysWOW64\Dlmhon32.dll Bhhfnd32.exe File created C:\Windows\SysWOW64\Gmoghklh.exe Fhbnpdnq.exe File created C:\Windows\SysWOW64\Iiimnjmp.exe Ioqhed32.exe File created C:\Windows\SysWOW64\Pcppbc32.exe Pkboiamh.exe File created C:\Windows\SysWOW64\Hpnpjadd.dll Ckciqdol.exe File created C:\Windows\SysWOW64\Ogbkakeo.exe Nmlgcbei.exe File created C:\Windows\SysWOW64\Cfimnmoa.exe Ckciqdol.exe File created C:\Windows\SysWOW64\Dakeak32.dll Hdfoni32.exe File created C:\Windows\SysWOW64\Immcnikq.exe Icenedep.exe File opened for modification C:\Windows\SysWOW64\Pmnino32.exe Pfdaae32.exe File created C:\Windows\SysWOW64\Adadnc32.dll Qpicjend.exe File created C:\Windows\SysWOW64\Djaiho32.exe Daidojeh.exe File created C:\Windows\SysWOW64\Glfqngom.exe Ggjhfpqf.exe File opened for modification C:\Windows\SysWOW64\Iqgbihel.exe Hcbapdgc.exe File created C:\Windows\SysWOW64\Kgjpfago.dll Oijlpjma.exe File created C:\Windows\SysWOW64\Knnlcdmm.dll Cmibdh32.exe File created C:\Windows\SysWOW64\Meepac32.dll Hkccpb32.exe File created C:\Windows\SysWOW64\Mbfndggh.exe Mklegm32.exe File created C:\Windows\SysWOW64\Efogifnh.dll Feaeni32.exe File created C:\Windows\SysWOW64\Bfkhopck.dll Pnofeghe.exe File created C:\Windows\SysWOW64\Kabnce32.dll Pfgeaklb.exe File created C:\Windows\SysWOW64\Lmkhmn32.exe Lgaoqdmk.exe File created C:\Windows\SysWOW64\Jnmdpk32.dll Lhehnlqf.exe File opened for modification C:\Windows\SysWOW64\Cnnpdaeb.exe Ckmfbf32.exe File opened for modification C:\Windows\SysWOW64\Fnjkdcii.exe Fdafkm32.exe File opened for modification C:\Windows\SysWOW64\Aaiodh32.exe Akoghnnj.exe File opened for modification C:\Windows\SysWOW64\Pbjpmmij.exe Pefoci32.exe File created C:\Windows\SysWOW64\Mngama32.dll Lecfiahe.exe File opened for modification C:\Windows\SysWOW64\Qlkcjadb.exe Pdpoeo32.exe File created C:\Windows\SysWOW64\Ekegqfbb.dll Dbmnla32.exe File created C:\Windows\SysWOW64\Dhnafj32.dll Fdlfeh32.exe File created C:\Windows\SysWOW64\Igmhga32.dll Njialh32.exe File created C:\Windows\SysWOW64\Deficgha.exe Dnlafm32.exe File created C:\Windows\SysWOW64\Fkjdkqcl.exe Fihhch32.exe File created C:\Windows\SysWOW64\Aqfiqjgb.exe Anepooja.exe File created C:\Windows\SysWOW64\Cnnpdaeb.exe Ckmfbf32.exe File created C:\Windows\SysWOW64\Mochmm32.exe Mdmdpd32.exe File created C:\Windows\SysWOW64\Lgfpfi32.exe Lnnkmdfq.exe File created C:\Windows\SysWOW64\Oioobo32.dll Pkboiamh.exe File created C:\Windows\SysWOW64\Njeijc32.dll Bdlakf32.exe File created C:\Windows\SysWOW64\Dcjqfp32.dll Bokapipc.exe File created C:\Windows\SysWOW64\Oljkfp32.dll Afkcqg32.exe File opened for modification C:\Windows\SysWOW64\Opokbdhc.exe Ofgfio32.exe File created C:\Windows\SysWOW64\Dephbjgj.dll Pcbmhb32.exe File opened for modification C:\Windows\SysWOW64\Djjlmj32.exe Dmfkcf32.exe File created C:\Windows\SysWOW64\Ckmfbf32.exe Beaaplbg.exe File opened for modification C:\Windows\SysWOW64\Pemedh32.exe Pkhagodb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4564 2632 WerFault.exe 397 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjebbkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjdkqcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnbgfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkboiamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qecejnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mochmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgcbei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekcng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijlpjma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaeqeljm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecggmfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfmmnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immcnikq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lapnmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfnbohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkgqgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkomhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnpdaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmqbaeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclbok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcppbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfikjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoegm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdelik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icenedep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiimnjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdafkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapcnodg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfnpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjemgibi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkqjmlhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdlakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklegm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godcgcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhacfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllpmlqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpohplpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcddjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfhblci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldcjooac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqjghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkcgpaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faapbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdfoni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admlfida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnomgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoghnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogbano.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelphbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcbapdgc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effnfo32.dll" Ngecbndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjebbkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noecjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhjgpof.dll" Lgfpfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Infefqkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmnino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dailkl32.dll" Jkqmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnmqbaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djaiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgbmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmfnbohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbdkmhi.dll" Ofohfeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhjhhacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhjlbpq.dll" Dffopi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hehikpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbhfjhd.dll" Ihinkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdlmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlenijej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amnemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcjamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnnpdaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcdpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfahnad.dll" Faapbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akoghnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ianodncp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcbapdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhjnlna.dll" Geoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaokq32.dll" Qagehaon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbiadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkdclgpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbicmfqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfcmb32.dll" Oelecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glddig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bokapipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnokohkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbdqkid.dll" Nclcgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdlakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faapbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhikiefk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Immcnikq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icjhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqgjbcoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beaaplbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpjmkhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlkcjadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnlhk32.dll" Jcidofcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkkkgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgbmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdibfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oigphf32.dll" Objcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlpnbfi.dll" Edgmjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idblbjen.dll" Bphhobmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdmmemih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgdippej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gknjecab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hadckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jllpmlqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfimnmoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipboce32.dll" Deficgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjohlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oioobo32.dll" Pkboiamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekegqfbb.dll" Dbmnla32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2456 1144 118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe 29 PID 1144 wrote to memory of 2456 1144 118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe 29 PID 1144 wrote to memory of 2456 1144 118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe 29 PID 1144 wrote to memory of 2456 1144 118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe 29 PID 2456 wrote to memory of 2624 2456 Lkomhp32.exe 30 PID 2456 wrote to memory of 2624 2456 Lkomhp32.exe 30 PID 2456 wrote to memory of 2624 2456 Lkomhp32.exe 30 PID 2456 wrote to memory of 2624 2456 Lkomhp32.exe 30 PID 2624 wrote to memory of 2740 2624 Lcjamb32.exe 31 PID 2624 wrote to memory of 2740 2624 Lcjamb32.exe 31 PID 2624 wrote to memory of 2740 2624 Lcjamb32.exe 31 PID 2624 wrote to memory of 2740 2624 Lcjamb32.exe 31 PID 2740 wrote to memory of 2540 2740 Mjgfol32.exe 32 PID 2740 wrote to memory of 2540 2740 Mjgfol32.exe 32 PID 2740 wrote to memory of 2540 2740 Mjgfol32.exe 32 PID 2740 wrote to memory of 2540 2740 Mjgfol32.exe 32 PID 2540 wrote to memory of 2984 2540 Mfngdmgb.exe 33 PID 2540 wrote to memory of 2984 2540 Mfngdmgb.exe 33 PID 2540 wrote to memory of 2984 2540 Mfngdmgb.exe 33 PID 2540 wrote to memory of 2984 2540 Mfngdmgb.exe 33 PID 2984 wrote to memory of 2544 2984 Mbgdonkd.exe 34 PID 2984 wrote to memory of 2544 2984 Mbgdonkd.exe 34 PID 2984 wrote to memory of 2544 2984 Mbgdonkd.exe 34 PID 2984 wrote to memory of 2544 2984 Mbgdonkd.exe 34 PID 2544 wrote to memory of 2964 2544 Mbiadm32.exe 35 PID 2544 wrote to memory of 2964 2544 Mbiadm32.exe 35 PID 2544 wrote to memory of 2964 2544 Mbiadm32.exe 35 PID 2544 wrote to memory of 2964 2544 Mbiadm32.exe 35 PID 2964 wrote to memory of 2144 2964 Nejjfh32.exe 36 PID 2964 wrote to memory of 2144 2964 Nejjfh32.exe 36 PID 2964 wrote to memory of 2144 2964 Nejjfh32.exe 36 PID 2964 wrote to memory of 2144 2964 Nejjfh32.exe 36 PID 2144 wrote to memory of 2416 2144 Njfbno32.exe 37 PID 2144 wrote to memory of 2416 2144 Njfbno32.exe 37 PID 2144 wrote to memory of 2416 2144 Njfbno32.exe 37 PID 2144 wrote to memory of 2416 2144 Njfbno32.exe 37 PID 2416 wrote to memory of 1692 2416 Nhjcgccc.exe 38 PID 2416 wrote to memory of 1692 2416 Nhjcgccc.exe 38 PID 2416 wrote to memory of 1692 2416 Nhjcgccc.exe 38 PID 2416 wrote to memory of 1692 2416 Nhjcgccc.exe 38 PID 1692 wrote to memory of 2572 1692 Nfbmnpfh.exe 39 PID 1692 wrote to memory of 2572 1692 Nfbmnpfh.exe 39 PID 1692 wrote to memory of 2572 1692 Nfbmnpfh.exe 39 PID 1692 wrote to memory of 2572 1692 Nfbmnpfh.exe 39 PID 2572 wrote to memory of 972 2572 Ofgfio32.exe 40 PID 2572 wrote to memory of 972 2572 Ofgfio32.exe 40 PID 2572 wrote to memory of 972 2572 Ofgfio32.exe 40 PID 2572 wrote to memory of 972 2572 Ofgfio32.exe 40 PID 972 wrote to memory of 2912 972 Opokbdhc.exe 41 PID 972 wrote to memory of 2912 972 Opokbdhc.exe 41 PID 972 wrote to memory of 2912 972 Opokbdhc.exe 41 PID 972 wrote to memory of 2912 972 Opokbdhc.exe 41 PID 2912 wrote to memory of 3048 2912 Oijlpjma.exe 42 PID 2912 wrote to memory of 3048 2912 Oijlpjma.exe 42 PID 2912 wrote to memory of 3048 2912 Oijlpjma.exe 42 PID 2912 wrote to memory of 3048 2912 Oijlpjma.exe 42 PID 3048 wrote to memory of 2600 3048 Oaeqeljm.exe 43 PID 3048 wrote to memory of 2600 3048 Oaeqeljm.exe 43 PID 3048 wrote to memory of 2600 3048 Oaeqeljm.exe 43 PID 3048 wrote to memory of 2600 3048 Oaeqeljm.exe 43 PID 2600 wrote to memory of 2436 2600 Ppmjkhma.exe 44 PID 2600 wrote to memory of 2436 2600 Ppmjkhma.exe 44 PID 2600 wrote to memory of 2436 2600 Ppmjkhma.exe 44 PID 2600 wrote to memory of 2436 2600 Ppmjkhma.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe"C:\Users\Admin\AppData\Local\Temp\118ec24aab289f80435c44246c8e4e7ffd34476a4030c50b61d093d88b102acf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Lkomhp32.exeC:\Windows\system32\Lkomhp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Lcjamb32.exeC:\Windows\system32\Lcjamb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Mjgfol32.exeC:\Windows\system32\Mjgfol32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mfngdmgb.exeC:\Windows\system32\Mfngdmgb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Nejjfh32.exeC:\Windows\system32\Nejjfh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Njfbno32.exeC:\Windows\system32\Njfbno32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Nhjcgccc.exeC:\Windows\system32\Nhjcgccc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Nfbmnpfh.exeC:\Windows\system32\Nfbmnpfh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ofgfio32.exeC:\Windows\system32\Ofgfio32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Opokbdhc.exeC:\Windows\system32\Opokbdhc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Oijlpjma.exeC:\Windows\system32\Oijlpjma.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Oaeqeljm.exeC:\Windows\system32\Oaeqeljm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ppmjkhma.exeC:\Windows\system32\Ppmjkhma.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Pcppbc32.exeC:\Windows\system32\Pcppbc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Qecejnco.exeC:\Windows\system32\Qecejnco.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Akbkhd32.exeC:\Windows\system32\Akbkhd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Admlfida.exeC:\Windows\system32\Admlfida.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Ajnnipnc.exeC:\Windows\system32\Ajnnipnc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Bmogkkkd.exeC:\Windows\system32\Bmogkkkd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Bkdclgpl.exeC:\Windows\system32\Bkdclgpl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Bkfqbgni.exeC:\Windows\system32\Bkfqbgni.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Bkimgflg.exeC:\Windows\system32\Bkimgflg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Beaaplbg.exeC:\Windows\system32\Beaaplbg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ckmfbf32.exeC:\Windows\system32\Ckmfbf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Cnnpdaeb.exeC:\Windows\system32\Cnnpdaeb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Cpbiaiin.exeC:\Windows\system32\Cpbiaiin.exe33⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Deanooeb.exeC:\Windows\system32\Deanooeb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ecggmfde.exeC:\Windows\system32\Ecggmfde.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe36⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Fdojendk.exeC:\Windows\system32\Fdojendk.exe37⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe38⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Fdafkm32.exeC:\Windows\system32\Fdafkm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Fnjkdcii.exeC:\Windows\system32\Fnjkdcii.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Fknlmggc.exeC:\Windows\system32\Fknlmggc.exe41⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Fcipaien.exeC:\Windows\system32\Fcipaien.exe42⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Glaejokn.exeC:\Windows\system32\Glaejokn.exe43⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe44⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Gjhbic32.exeC:\Windows\system32\Gjhbic32.exe45⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Gbcgne32.exeC:\Windows\system32\Gbcgne32.exe46⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Gkkkgkla.exeC:\Windows\system32\Gkkkgkla.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe48⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Gknhlj32.exeC:\Windows\system32\Gknhlj32.exe49⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Hgdhakpb.exeC:\Windows\system32\Hgdhakpb.exe50⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Hehikpol.exeC:\Windows\system32\Hehikpol.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Hkbagjfi.exeC:\Windows\system32\Hkbagjfi.exe52⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Hekfpo32.exeC:\Windows\system32\Hekfpo32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Hfnomgqe.exeC:\Windows\system32\Hfnomgqe.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Hjlhcegl.exeC:\Windows\system32\Hjlhcegl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ipipllec.exeC:\Windows\system32\Ipipllec.exe58⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Iiaddb32.exeC:\Windows\system32\Iiaddb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ibjing32.exeC:\Windows\system32\Ibjing32.exe60⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ifhacfhj.exeC:\Windows\system32\Ifhacfhj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Ihinkn32.exeC:\Windows\system32\Ihinkn32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Ifjoie32.exeC:\Windows\system32\Ifjoie32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ilggal32.exeC:\Windows\system32\Ilggal32.exe64⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ieokjbkp.exeC:\Windows\system32\Ieokjbkp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Jaflocqd.exeC:\Windows\system32\Jaflocqd.exe66⤵PID:1664
-
C:\Windows\SysWOW64\Jllpmlqj.exeC:\Windows\system32\Jllpmlqj.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Jkqmnh32.exeC:\Windows\system32\Jkqmnh32.exe68⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Jdibfn32.exeC:\Windows\system32\Jdibfn32.exe69⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Jmafocbb.exeC:\Windows\system32\Jmafocbb.exe70⤵PID:2808
-
C:\Windows\SysWOW64\Jbnogjqj.exeC:\Windows\system32\Jbnogjqj.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Jpboan32.exeC:\Windows\system32\Jpboan32.exe72⤵PID:2792
-
C:\Windows\SysWOW64\Kikcjdfd.exeC:\Windows\system32\Kikcjdfd.exe73⤵PID:2840
-
C:\Windows\SysWOW64\Kgodchen.exeC:\Windows\system32\Kgodchen.exe74⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe75⤵PID:3060
-
C:\Windows\SysWOW64\Kkqjmlhm.exeC:\Windows\system32\Kkqjmlhm.exe76⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Klpffn32.exeC:\Windows\system32\Klpffn32.exe77⤵PID:768
-
C:\Windows\SysWOW64\Kgjgglko.exeC:\Windows\system32\Kgjgglko.exe78⤵PID:2228
-
C:\Windows\SysWOW64\Ljjpighp.exeC:\Windows\system32\Ljjpighp.exe79⤵PID:1396
-
C:\Windows\SysWOW64\Lccdamop.exeC:\Windows\system32\Lccdamop.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:804 -
C:\Windows\SysWOW64\Lnhioeof.exeC:\Windows\system32\Lnhioeof.exe81⤵PID:2816
-
C:\Windows\SysWOW64\Lceagmmn.exeC:\Windows\system32\Lceagmmn.exe82⤵PID:2432
-
C:\Windows\SysWOW64\Lnkedemc.exeC:\Windows\system32\Lnkedemc.exe83⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Lgcjmkcd.exeC:\Windows\system32\Lgcjmkcd.exe84⤵PID:2004
-
C:\Windows\SysWOW64\Lonoamqo.exeC:\Windows\system32\Lonoamqo.exe85⤵PID:868
-
C:\Windows\SysWOW64\Moqkgmol.exeC:\Windows\system32\Moqkgmol.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe87⤵
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Mochmm32.exeC:\Windows\system32\Mochmm32.exe88⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Mgnmao32.exeC:\Windows\system32\Mgnmao32.exe89⤵PID:2892
-
C:\Windows\SysWOW64\Mklegm32.exeC:\Windows\system32\Mklegm32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Mbfndggh.exeC:\Windows\system32\Mbfndggh.exe91⤵PID:2596
-
C:\Windows\SysWOW64\Mknbmm32.exeC:\Windows\system32\Mknbmm32.exe92⤵PID:1496
-
C:\Windows\SysWOW64\Negffbdi.exeC:\Windows\system32\Negffbdi.exe93⤵PID:1516
-
C:\Windows\SysWOW64\Ngecbndm.exeC:\Windows\system32\Ngecbndm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Nnokohkj.exeC:\Windows\system32\Nnokohkj.exe95⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Nclcgoia.exeC:\Windows\system32\Nclcgoia.exe96⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Objcnj32.exeC:\Windows\system32\Objcnj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ojfhblci.exeC:\Windows\system32\Ojfhblci.exe98⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Ojhehlag.exeC:\Windows\system32\Ojhehlag.exe99⤵PID:1632
-
C:\Windows\SysWOW64\Pfabbmeh.exeC:\Windows\system32\Pfabbmeh.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Ppjfkb32.exeC:\Windows\system32\Ppjfkb32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Pefoci32.exeC:\Windows\system32\Pefoci32.exe102⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Pbjpmmij.exeC:\Windows\system32\Pbjpmmij.exe103⤵PID:1588
-
C:\Windows\SysWOW64\Phghedga.exeC:\Windows\system32\Phghedga.exe104⤵PID:2732
-
C:\Windows\SysWOW64\Pkhagodb.exeC:\Windows\system32\Pkhagodb.exe105⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Pemedh32.exeC:\Windows\system32\Pemedh32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Qmijij32.exeC:\Windows\system32\Qmijij32.exe107⤵PID:576
-
C:\Windows\SysWOW64\Qganapgc.exeC:\Windows\system32\Qganapgc.exe108⤵PID:1696
-
C:\Windows\SysWOW64\Qpicjend.exeC:\Windows\system32\Qpicjend.exe109⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Akoghnnj.exeC:\Windows\system32\Akoghnnj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Aaiodh32.exeC:\Windows\system32\Aaiodh32.exe111⤵PID:2140
-
C:\Windows\SysWOW64\Albpef32.exeC:\Windows\system32\Albpef32.exe112⤵PID:2820
-
C:\Windows\SysWOW64\Aekenl32.exeC:\Windows\system32\Aekenl32.exe113⤵PID:1644
-
C:\Windows\SysWOW64\Appikd32.exeC:\Windows\system32\Appikd32.exe114⤵PID:1532
-
C:\Windows\SysWOW64\Ahlnpg32.exeC:\Windows\system32\Ahlnpg32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Acabmpem.exeC:\Windows\system32\Acabmpem.exe116⤵PID:1640
-
C:\Windows\SysWOW64\Alifee32.exeC:\Windows\system32\Alifee32.exe117⤵PID:2656
-
C:\Windows\SysWOW64\Bdekjg32.exeC:\Windows\system32\Bdekjg32.exe118⤵PID:2592
-
C:\Windows\SysWOW64\Bojogp32.exeC:\Windows\system32\Bojogp32.exe119⤵PID:1816
-
C:\Windows\SysWOW64\Bkapla32.exeC:\Windows\system32\Bkapla32.exe120⤵PID:1096
-
C:\Windows\SysWOW64\Bqnidh32.exeC:\Windows\system32\Bqnidh32.exe121⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-