Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 10:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
35ee8050691e457333dfb2617c3e7b80N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
35ee8050691e457333dfb2617c3e7b80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
35ee8050691e457333dfb2617c3e7b80N.exe
-
Size
45KB
-
MD5
35ee8050691e457333dfb2617c3e7b80
-
SHA1
f455b8f4a0ae7fd83d23e969df0fda496ca9dd35
-
SHA256
04b4f78f334b5af487b5ddeec7dddf3984c5fdf72ceb2cfb0db2268affcbfb7c
-
SHA512
dfe49776a862d0d79f5a975b483546ff07a5d85aeec325e19086cc01e350e9e1c4acc06a0efb3f6930d2be4cd0c3ba9a7ffd4ecf85658a934d53626295c23ba8
-
SSDEEP
768:aR5IRQHi4wok2Q7YUUlimyZtMQ++KQTwrPTTVLN/1H5Q:SFmok24YDMZe7+NGPTxju
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpnihbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnnipnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cijmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnmne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpehq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgfcbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafppp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibobhgno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgekanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmjkhma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogkhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfclic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibcnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldbococ.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmqjoljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocilfljc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhhiiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbbkahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljelbeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbenhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefnjdgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhbffkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqhdnfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baeepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdbmkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjjlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogggi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgnbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaoncjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmefidoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejncedk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcpfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflanc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdhpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeoka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopcnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgbkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpaag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcgdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akoghnnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkdhohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolingnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epegae32.exe -
Executes dropped EXE 64 IoCs
pid Process 2512 Lhlgaedj.exe 2320 Llhcad32.exe 1780 Lnipilbb.exe 2780 Lbdljk32.exe 2736 Lhodgebh.exe 2584 Lbghpjih.exe 2608 Lqjhkg32.exe 1776 Lkomhp32.exe 2876 Lnnidk32.exe 2392 Ldhaaefi.exe 1704 Lkainp32.exe 2444 Lnpejklj.exe 2728 Mdjnge32.exe 340 Mghjcq32.exe 2524 Mmebkg32.exe 2180 Mocogc32.exe 2196 Mfngdmgb.exe 2924 Mjicdl32.exe 988 Milcphgf.exe 1696 Mqckaf32.exe 964 Mcagma32.exe 1940 Mjkpjkni.exe 608 Minpeh32.exe 1628 Mphhbblp.exe 1480 Mbgdonkd.exe 2152 Mfbqol32.exe 2168 Mmlilfkj.exe 1720 Mbiadm32.exe 2464 Mfdmdlaj.exe 2704 Nannejni.exe 2916 Nejjfh32.exe 2560 Nnboonmb.exe 2348 Naqkki32.exe 2932 Ncogge32.exe 2200 Nndkdn32.exe 944 Nmglpjak.exe 2244 Nhmpmcaq.exe 1132 Njklioqd.exe 864 Nmjhejph.exe 2640 Nfbmnpfh.exe 844 Niqijkel.exe 2116 Nmlekj32.exe 2332 Nbincq32.exe 1176 Ofdicodf.exe 1992 Olablfbm.exe 912 Ofgfio32.exe 2208 Oiebej32.exe 688 Omqnfiip.exe 2624 Opokbdhc.exe 2676 Obngnphg.exe 1764 Oelcjkgk.exe 2680 Olfkge32.exe 2820 Opaggdfa.exe 2552 Oodhca32.exe 3056 Oabdol32.exe 2540 Ohmllf32.exe 2076 Olhhmele.exe 2128 Oogdiqki.exe 1800 Oaeqeljm.exe 2328 Oeqmek32.exe 2488 Odcmagip.exe 2376 Olkebejb.exe 1160 Ooianpif.exe 2424 Pmlajm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1036 35ee8050691e457333dfb2617c3e7b80N.exe 1036 35ee8050691e457333dfb2617c3e7b80N.exe 2512 Lhlgaedj.exe 2512 Lhlgaedj.exe 2320 Llhcad32.exe 2320 Llhcad32.exe 1780 Lnipilbb.exe 1780 Lnipilbb.exe 2780 Lbdljk32.exe 2780 Lbdljk32.exe 2736 Lhodgebh.exe 2736 Lhodgebh.exe 2584 Lbghpjih.exe 2584 Lbghpjih.exe 2608 Lqjhkg32.exe 2608 Lqjhkg32.exe 1776 Lkomhp32.exe 1776 Lkomhp32.exe 2876 Lnnidk32.exe 2876 Lnnidk32.exe 2392 Ldhaaefi.exe 2392 Ldhaaefi.exe 1704 Lkainp32.exe 1704 Lkainp32.exe 2444 Lnpejklj.exe 2444 Lnpejklj.exe 2728 Mdjnge32.exe 2728 Mdjnge32.exe 340 Mghjcq32.exe 340 Mghjcq32.exe 2524 Mmebkg32.exe 2524 Mmebkg32.exe 2180 Mocogc32.exe 2180 Mocogc32.exe 2196 Mfngdmgb.exe 2196 Mfngdmgb.exe 2924 Mjicdl32.exe 2924 Mjicdl32.exe 988 Milcphgf.exe 988 Milcphgf.exe 1696 Mqckaf32.exe 1696 Mqckaf32.exe 964 Mcagma32.exe 964 Mcagma32.exe 1940 Mjkpjkni.exe 1940 Mjkpjkni.exe 608 Minpeh32.exe 608 Minpeh32.exe 1628 Mphhbblp.exe 1628 Mphhbblp.exe 1480 Mbgdonkd.exe 1480 Mbgdonkd.exe 2152 Mfbqol32.exe 2152 Mfbqol32.exe 2168 Mmlilfkj.exe 2168 Mmlilfkj.exe 1720 Mbiadm32.exe 1720 Mbiadm32.exe 2464 Mfdmdlaj.exe 2464 Mfdmdlaj.exe 2704 Nannejni.exe 2704 Nannejni.exe 2916 Nejjfh32.exe 2916 Nejjfh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jplkmd32.dll Gknhlj32.exe File opened for modification C:\Windows\SysWOW64\Agjahooi.exe Acoegp32.exe File opened for modification C:\Windows\SysWOW64\Lofafhck.exe Lkkefi32.exe File opened for modification C:\Windows\SysWOW64\Anepooja.exe Ajidnp32.exe File created C:\Windows\SysWOW64\Epmdljal.exe Ehfmkmqj.exe File opened for modification C:\Windows\SysWOW64\Hnoane32.exe Holqbipe.exe File created C:\Windows\SysWOW64\Kejkip32.dll Cfimnmoa.exe File created C:\Windows\SysWOW64\Kmcelehb.dll Cecnflpd.exe File opened for modification C:\Windows\SysWOW64\Mbicmfqe.exe Mokgqjaa.exe File created C:\Windows\SysWOW64\Kikkdlge.dll Fdfpfm32.exe File created C:\Windows\SysWOW64\Cfimnmoa.exe Cnaempnp.exe File created C:\Windows\SysWOW64\Ofcmhpig.dll Qbelfk32.exe File created C:\Windows\SysWOW64\Jjfkpa32.dll Bjqjoolp.exe File created C:\Windows\SysWOW64\Nlgeffnb.dll Ehfmkmqj.exe File created C:\Windows\SysWOW64\Qddkie32.dll Fkibbh32.exe File created C:\Windows\SysWOW64\Lkmhbpqc.dll Fogkhf32.exe File created C:\Windows\SysWOW64\Bicbeq32.dll Hcbogk32.exe File opened for modification C:\Windows\SysWOW64\Kkkigf32.exe Khmmkj32.exe File created C:\Windows\SysWOW64\Ikfngd32.dll Pfiafk32.exe File opened for modification C:\Windows\SysWOW64\Cqkace32.exe Cnlegj32.exe File created C:\Windows\SysWOW64\Pqnajbjo.dll Njklioqd.exe File created C:\Windows\SysWOW64\Ofacbbji.dll Ccfoah32.exe File created C:\Windows\SysWOW64\Bfejbf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fgaibb32.exe Fcfmacce.exe File opened for modification C:\Windows\SysWOW64\Loinlg32.exe Lljbpl32.exe File created C:\Windows\SysWOW64\Ajgfdhmb.dll Palincli.exe File opened for modification C:\Windows\SysWOW64\Njikba32.exe Process not Found File created C:\Windows\SysWOW64\Jaqagfen.dll Fgpcgi32.exe File created C:\Windows\SysWOW64\Lcgnmlkk.exe Lolbln32.exe File created C:\Windows\SysWOW64\Bipkao32.dll Nfoinj32.exe File opened for modification C:\Windows\SysWOW64\Bimnqk32.exe Baeepm32.exe File opened for modification C:\Windows\SysWOW64\Hglobj32.exe Hembfo32.exe File created C:\Windows\SysWOW64\Afpefd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nmjhejph.exe Njklioqd.exe File created C:\Windows\SysWOW64\Ihlcbpie.dll Odlpfblm.exe File opened for modification C:\Windows\SysWOW64\Mjoecjgf.exe Mklegm32.exe File created C:\Windows\SysWOW64\Ehnieaoj.exe Epgqddoh.exe File created C:\Windows\SysWOW64\Idjhjgak.dll Qcgfcbbh.exe File created C:\Windows\SysWOW64\Fnanjfjp.dll Ldngqqjh.exe File created C:\Windows\SysWOW64\Geibin32.exe Ganfhpfj.exe File created C:\Windows\SysWOW64\Mgkiaihl.exe Mcpmqj32.exe File opened for modification C:\Windows\SysWOW64\Lgdcqj32.exe Lhabemgi.exe File created C:\Windows\SysWOW64\Eidofdip.dll Boppmf32.exe File created C:\Windows\SysWOW64\Dfhjmpam.exe Ddjmaebi.exe File created C:\Windows\SysWOW64\Dhagaj32.exe Dfqjible.exe File opened for modification C:\Windows\SysWOW64\Hnegod32.exe Hfnomgqe.exe File created C:\Windows\SysWOW64\Jddhknpg.exe Jeahpa32.exe File created C:\Windows\SysWOW64\Kkkigf32.exe Khmmkj32.exe File opened for modification C:\Windows\SysWOW64\Dnnnlmob.exe Dlpbpa32.exe File created C:\Windows\SysWOW64\Bakkad32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mghjcq32.exe Mdjnge32.exe File created C:\Windows\SysWOW64\Eknmgkpa.dll Bjcgdojn.exe File opened for modification C:\Windows\SysWOW64\Bpqgcq32.exe Process not Found File created C:\Windows\SysWOW64\Kepjbneo.exe Process not Found File created C:\Windows\SysWOW64\Phjgdm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bpmajb32.exe Bhfjid32.exe File created C:\Windows\SysWOW64\Dgdfocge.exe Deficgha.exe File created C:\Windows\SysWOW64\Mpgccm32.exe Process not Found File created C:\Windows\SysWOW64\Kpdlfn32.exe Kmfpjb32.exe File created C:\Windows\SysWOW64\Iohiafag.exe Ikmmqg32.exe File opened for modification C:\Windows\SysWOW64\Eiabbicf.exe Ejoagm32.exe File opened for modification C:\Windows\SysWOW64\Ncaokgmp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qilgneen.exe Qfnkajfk.exe File created C:\Windows\SysWOW64\Mknfqe32.dll Bciaqnje.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1532 1640 Process not Found 1306 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Encgglkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdhakpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgmdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncafemqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclcgoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjoecjgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhhbojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmdljal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgemal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhhmele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgppep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnflif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabidiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldkkali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeblnbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqmqkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepccldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flldei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongfai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdfocge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdlqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimlhgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiojb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkeogn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecedmaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbjfjnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgjmipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekcng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpnihbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemoebmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaempnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiegggd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgldmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgekanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qafboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkjij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikocggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgfcbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjoob32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klaojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhgml32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejbgc32.dll" Boblbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjgnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcgdlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcajp32.dll" Hqocej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeedhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjqjoolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckklfoah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmdljal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahieboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddkie32.dll" Fkibbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhgge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 35ee8050691e457333dfb2617c3e7b80N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oboihm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pagmjlhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbnpdnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnipilbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihefhgnm.dll" Nnenmfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joohocpp.dll" Bpdihedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocilfljc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppffcjlb.dll" Gqajfmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhamllfc.dll" Cnlegj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokfaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepklpne.dll" Mdjppnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inbpnbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbihccpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boedge32.dll" Emkanhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glddig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpamd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbadih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feaeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefqjm32.dll" Fphgpnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifdog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdenoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdecniol.dll" Mbiadm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfabbmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncfhep.dll" Dbgmglin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnlhk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfknenql.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgdlj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqomqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgampcn.dll" Lkkefi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdockgqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigiloo.dll" Lhmijn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqmee32.dll" Plkgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldbococ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpjfl32.dll" Ooianpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blmdnmbn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebma32.dll" Oajpjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmakdkle.dll" Phiekdeo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2512 1036 35ee8050691e457333dfb2617c3e7b80N.exe 29 PID 1036 wrote to memory of 2512 1036 35ee8050691e457333dfb2617c3e7b80N.exe 29 PID 1036 wrote to memory of 2512 1036 35ee8050691e457333dfb2617c3e7b80N.exe 29 PID 1036 wrote to memory of 2512 1036 35ee8050691e457333dfb2617c3e7b80N.exe 29 PID 2512 wrote to memory of 2320 2512 Lhlgaedj.exe 30 PID 2512 wrote to memory of 2320 2512 Lhlgaedj.exe 30 PID 2512 wrote to memory of 2320 2512 Lhlgaedj.exe 30 PID 2512 wrote to memory of 2320 2512 Lhlgaedj.exe 30 PID 2320 wrote to memory of 1780 2320 Llhcad32.exe 31 PID 2320 wrote to memory of 1780 2320 Llhcad32.exe 31 PID 2320 wrote to memory of 1780 2320 Llhcad32.exe 31 PID 2320 wrote to memory of 1780 2320 Llhcad32.exe 31 PID 1780 wrote to memory of 2780 1780 Lnipilbb.exe 32 PID 1780 wrote to memory of 2780 1780 Lnipilbb.exe 32 PID 1780 wrote to memory of 2780 1780 Lnipilbb.exe 32 PID 1780 wrote to memory of 2780 1780 Lnipilbb.exe 32 PID 2780 wrote to memory of 2736 2780 Lbdljk32.exe 33 PID 2780 wrote to memory of 2736 2780 Lbdljk32.exe 33 PID 2780 wrote to memory of 2736 2780 Lbdljk32.exe 33 PID 2780 wrote to memory of 2736 2780 Lbdljk32.exe 33 PID 2736 wrote to memory of 2584 2736 Lhodgebh.exe 34 PID 2736 wrote to memory of 2584 2736 Lhodgebh.exe 34 PID 2736 wrote to memory of 2584 2736 Lhodgebh.exe 34 PID 2736 wrote to memory of 2584 2736 Lhodgebh.exe 34 PID 2584 wrote to memory of 2608 2584 Lbghpjih.exe 35 PID 2584 wrote to memory of 2608 2584 Lbghpjih.exe 35 PID 2584 wrote to memory of 2608 2584 Lbghpjih.exe 35 PID 2584 wrote to memory of 2608 2584 Lbghpjih.exe 35 PID 2608 wrote to memory of 1776 2608 Lqjhkg32.exe 36 PID 2608 wrote to memory of 1776 2608 Lqjhkg32.exe 36 PID 2608 wrote to memory of 1776 2608 Lqjhkg32.exe 36 PID 2608 wrote to memory of 1776 2608 Lqjhkg32.exe 36 PID 1776 wrote to memory of 2876 1776 Lkomhp32.exe 37 PID 1776 wrote to memory of 2876 1776 Lkomhp32.exe 37 PID 1776 wrote to memory of 2876 1776 Lkomhp32.exe 37 PID 1776 wrote to memory of 2876 1776 Lkomhp32.exe 37 PID 2876 wrote to memory of 2392 2876 Lnnidk32.exe 38 PID 2876 wrote to memory of 2392 2876 Lnnidk32.exe 38 PID 2876 wrote to memory of 2392 2876 Lnnidk32.exe 38 PID 2876 wrote to memory of 2392 2876 Lnnidk32.exe 38 PID 2392 wrote to memory of 1704 2392 Ldhaaefi.exe 39 PID 2392 wrote to memory of 1704 2392 Ldhaaefi.exe 39 PID 2392 wrote to memory of 1704 2392 Ldhaaefi.exe 39 PID 2392 wrote to memory of 1704 2392 Ldhaaefi.exe 39 PID 1704 wrote to memory of 2444 1704 Lkainp32.exe 40 PID 1704 wrote to memory of 2444 1704 Lkainp32.exe 40 PID 1704 wrote to memory of 2444 1704 Lkainp32.exe 40 PID 1704 wrote to memory of 2444 1704 Lkainp32.exe 40 PID 2444 wrote to memory of 2728 2444 Lnpejklj.exe 41 PID 2444 wrote to memory of 2728 2444 Lnpejklj.exe 41 PID 2444 wrote to memory of 2728 2444 Lnpejklj.exe 41 PID 2444 wrote to memory of 2728 2444 Lnpejklj.exe 41 PID 2728 wrote to memory of 340 2728 Mdjnge32.exe 42 PID 2728 wrote to memory of 340 2728 Mdjnge32.exe 42 PID 2728 wrote to memory of 340 2728 Mdjnge32.exe 42 PID 2728 wrote to memory of 340 2728 Mdjnge32.exe 42 PID 340 wrote to memory of 2524 340 Mghjcq32.exe 43 PID 340 wrote to memory of 2524 340 Mghjcq32.exe 43 PID 340 wrote to memory of 2524 340 Mghjcq32.exe 43 PID 340 wrote to memory of 2524 340 Mghjcq32.exe 43 PID 2524 wrote to memory of 2180 2524 Mmebkg32.exe 44 PID 2524 wrote to memory of 2180 2524 Mmebkg32.exe 44 PID 2524 wrote to memory of 2180 2524 Mmebkg32.exe 44 PID 2524 wrote to memory of 2180 2524 Mmebkg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\35ee8050691e457333dfb2617c3e7b80N.exe"C:\Users\Admin\AppData\Local\Temp\35ee8050691e457333dfb2617c3e7b80N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Lhlgaedj.exeC:\Windows\system32\Lhlgaedj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Llhcad32.exeC:\Windows\system32\Llhcad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Lnipilbb.exeC:\Windows\system32\Lnipilbb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Lbdljk32.exeC:\Windows\system32\Lbdljk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lhodgebh.exeC:\Windows\system32\Lhodgebh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lbghpjih.exeC:\Windows\system32\Lbghpjih.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lqjhkg32.exeC:\Windows\system32\Lqjhkg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Lkomhp32.exeC:\Windows\system32\Lkomhp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Lnnidk32.exeC:\Windows\system32\Lnnidk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ldhaaefi.exeC:\Windows\system32\Ldhaaefi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Lkainp32.exeC:\Windows\system32\Lkainp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Lnpejklj.exeC:\Windows\system32\Lnpejklj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mdjnge32.exeC:\Windows\system32\Mdjnge32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mghjcq32.exeC:\Windows\system32\Mghjcq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Mmebkg32.exeC:\Windows\system32\Mmebkg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mocogc32.exeC:\Windows\system32\Mocogc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Mfngdmgb.exeC:\Windows\system32\Mfngdmgb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Mjicdl32.exeC:\Windows\system32\Mjicdl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Milcphgf.exeC:\Windows\system32\Milcphgf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Mqckaf32.exeC:\Windows\system32\Mqckaf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Mcagma32.exeC:\Windows\system32\Mcagma32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Mjkpjkni.exeC:\Windows\system32\Mjkpjkni.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Minpeh32.exeC:\Windows\system32\Minpeh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Mphhbblp.exeC:\Windows\system32\Mphhbblp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Mfbqol32.exeC:\Windows\system32\Mfbqol32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Mmlilfkj.exeC:\Windows\system32\Mmlilfkj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Mfdmdlaj.exeC:\Windows\system32\Mfdmdlaj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Nannejni.exeC:\Windows\system32\Nannejni.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Nejjfh32.exeC:\Windows\system32\Nejjfh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Nnboonmb.exeC:\Windows\system32\Nnboonmb.exe33⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Naqkki32.exeC:\Windows\system32\Naqkki32.exe34⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ncogge32.exeC:\Windows\system32\Ncogge32.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nndkdn32.exeC:\Windows\system32\Nndkdn32.exe36⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Nmglpjak.exeC:\Windows\system32\Nmglpjak.exe37⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Nhmpmcaq.exeC:\Windows\system32\Nhmpmcaq.exe38⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Njklioqd.exeC:\Windows\system32\Njklioqd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Nmjhejph.exeC:\Windows\system32\Nmjhejph.exe40⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Nfbmnpfh.exeC:\Windows\system32\Nfbmnpfh.exe41⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Niqijkel.exeC:\Windows\system32\Niqijkel.exe42⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nmlekj32.exeC:\Windows\system32\Nmlekj32.exe43⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Nbincq32.exeC:\Windows\system32\Nbincq32.exe44⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ofdicodf.exeC:\Windows\system32\Ofdicodf.exe45⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Olablfbm.exeC:\Windows\system32\Olablfbm.exe46⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ofgfio32.exeC:\Windows\system32\Ofgfio32.exe47⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Oiebej32.exeC:\Windows\system32\Oiebej32.exe48⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Omqnfiip.exeC:\Windows\system32\Omqnfiip.exe49⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Opokbdhc.exeC:\Windows\system32\Opokbdhc.exe50⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Obngnphg.exeC:\Windows\system32\Obngnphg.exe51⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Oelcjkgk.exeC:\Windows\system32\Oelcjkgk.exe52⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Olfkge32.exeC:\Windows\system32\Olfkge32.exe53⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Opaggdfa.exeC:\Windows\system32\Opaggdfa.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Oabdol32.exeC:\Windows\system32\Oabdol32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ohmllf32.exeC:\Windows\system32\Ohmllf32.exe57⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Olhhmele.exeC:\Windows\system32\Olhhmele.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Oogdiqki.exeC:\Windows\system32\Oogdiqki.exe59⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Oaeqeljm.exeC:\Windows\system32\Oaeqeljm.exe60⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Oeqmek32.exeC:\Windows\system32\Oeqmek32.exe61⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Odcmagip.exeC:\Windows\system32\Odcmagip.exe62⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Olkebejb.exeC:\Windows\system32\Olkebejb.exe63⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ooianpif.exeC:\Windows\system32\Ooianpif.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Pmlajm32.exeC:\Windows\system32\Pmlajm32.exe65⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Pagmjlhj.exeC:\Windows\system32\Pagmjlhj.exe66⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Pdfifg32.exeC:\Windows\system32\Pdfifg32.exe67⤵PID:1484
-
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe68⤵PID:1452
-
C:\Windows\SysWOW64\Pokndp32.exeC:\Windows\system32\Pokndp32.exe69⤵PID:1812
-
C:\Windows\SysWOW64\Pmnnomnn.exeC:\Windows\system32\Pmnnomnn.exe70⤵PID:2160
-
C:\Windows\SysWOW64\Pajjpk32.exeC:\Windows\system32\Pajjpk32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Ppmjkhma.exeC:\Windows\system32\Ppmjkhma.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Pgfbhb32.exeC:\Windows\system32\Pgfbhb32.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe74⤵PID:2544
-
C:\Windows\SysWOW64\Pieodn32.exeC:\Windows\system32\Pieodn32.exe75⤵PID:760
-
C:\Windows\SysWOW64\Palgek32.exeC:\Windows\system32\Palgek32.exe76⤵PID:2364
-
C:\Windows\SysWOW64\Ppogahko.exeC:\Windows\system32\Ppogahko.exe77⤵PID:1568
-
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe78⤵PID:2800
-
C:\Windows\SysWOW64\Pcmcmcjc.exeC:\Windows\system32\Pcmcmcjc.exe79⤵PID:2788
-
C:\Windows\SysWOW64\Pkdknq32.exeC:\Windows\system32\Pkdknq32.exe80⤵PID:604
-
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe81⤵PID:2352
-
C:\Windows\SysWOW64\Pncgjl32.exeC:\Windows\system32\Pncgjl32.exe82⤵PID:2204
-
C:\Windows\SysWOW64\Ppacfg32.exeC:\Windows\system32\Ppacfg32.exe83⤵PID:2360
-
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe84⤵PID:532
-
C:\Windows\SysWOW64\Pcppbc32.exeC:\Windows\system32\Pcppbc32.exe85⤵PID:2724
-
C:\Windows\SysWOW64\Penlon32.exeC:\Windows\system32\Penlon32.exe86⤵PID:1640
-
C:\Windows\SysWOW64\Pnedpl32.exeC:\Windows\system32\Pnedpl32.exe87⤵PID:2476
-
C:\Windows\SysWOW64\Pofqhdnd.exeC:\Windows\system32\Pofqhdnd.exe88⤵PID:1208
-
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe89⤵PID:2836
-
C:\Windows\SysWOW64\Qjleem32.exeC:\Windows\system32\Qjleem32.exe90⤵PID:2572
-
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe91⤵PID:1964
-
C:\Windows\SysWOW64\Qpfmageg.exeC:\Windows\system32\Qpfmageg.exe92⤵PID:1976
-
C:\Windows\SysWOW64\Qecejnco.exeC:\Windows\system32\Qecejnco.exe93⤵PID:1532
-
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe94⤵PID:1712
-
C:\Windows\SysWOW64\Qokjcc32.exeC:\Windows\system32\Qokjcc32.exe95⤵PID:304
-
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Afebpmal.exeC:\Windows\system32\Afebpmal.exe97⤵PID:904
-
C:\Windows\SysWOW64\Ahcoli32.exeC:\Windows\system32\Ahcoli32.exe98⤵PID:908
-
C:\Windows\SysWOW64\Akbkhd32.exeC:\Windows\system32\Akbkhd32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Adjoqjfc.exeC:\Windows\system32\Adjoqjfc.exe100⤵PID:2452
-
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe101⤵PID:2708
-
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Abnpjnem.exeC:\Windows\system32\Abnpjnem.exe103⤵PID:3032
-
C:\Windows\SysWOW64\Aqapek32.exeC:\Windows\system32\Aqapek32.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe105⤵PID:1784
-
C:\Windows\SysWOW64\Ajidnp32.exeC:\Windows\system32\Ajidnp32.exe106⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe107⤵PID:2996
-
C:\Windows\SysWOW64\Adoili32.exeC:\Windows\system32\Adoili32.exe108⤵PID:1044
-
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe109⤵PID:1536
-
C:\Windows\SysWOW64\Ajladp32.exeC:\Windows\system32\Ajladp32.exe110⤵PID:3000
-
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe111⤵PID:2028
-
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe112⤵PID:2136
-
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe113⤵PID:2696
-
C:\Windows\SysWOW64\Agpamd32.exeC:\Windows\system32\Agpamd32.exe114⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ajnnipnc.exeC:\Windows\system32\Ajnnipnc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe116⤵PID:2804
-
C:\Windows\SysWOW64\Bokfaflj.exeC:\Windows\system32\Bokfaflj.exe117⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Bgbncdmm.exeC:\Windows\system32\Bgbncdmm.exe118⤵PID:2372
-
C:\Windows\SysWOW64\Bjqjoolp.exeC:\Windows\system32\Bjqjoolp.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Bmogkkkd.exeC:\Windows\system32\Bmogkkkd.exe120⤵PID:2500
-
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe121⤵PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-