Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 01:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09a64b94c401946efab49ace111c8050N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
09a64b94c401946efab49ace111c8050N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
09a64b94c401946efab49ace111c8050N.exe
-
Size
89KB
-
MD5
09a64b94c401946efab49ace111c8050
-
SHA1
3485f0d3c996935f472ca0bb3709e7fe99b1eb2f
-
SHA256
fc9adfd50a1e4090f0be357a00611777731c9ccb71412c6acc4189d97767e51a
-
SHA512
6496df219fd9a1442115a734859f7d39768a56403492794773191a60d62a5107a99683abfd8922686b6162defb18d4044ce672d621c6a4b1ede0ddcc9a2ebaf8
-
SSDEEP
1536:gbj+7l+GspN+ruyoHCwI38HeJl3fLDNxT7U0qcElExkg8F:g7G8+rtsCwy8uTDNN7UdcElakgw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blcmbmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhaobd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olobcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfknooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qamjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkeofnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgaaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iekbmfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqilfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eponmmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbaafak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkeofnfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glajmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahioobed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdnmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijcgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgqlkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghqchi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onbkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Figoefkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkfkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feklja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkffohon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apapcnaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplfmfmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocglmcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baakem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggcnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddagi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dapnfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpmhdqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnpbgbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiglnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chkpakla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqcaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcgdjmlo.exe -
Executes dropped EXE 64 IoCs
pid Process 2784 Pdpcep32.exe 2792 Pllhib32.exe 2888 Qchmll32.exe 2780 Qlpadaac.exe 2676 Qamjmh32.exe 2448 Qkeofnfk.exe 2392 Ahioobed.exe 1344 Abachg32.exe 2492 Agolpnjl.exe 2976 Abdpngjb.exe 2508 Agaifnhi.exe 1676 Adeiobgc.exe 2192 Ampncd32.exe 2460 Bjdnmi32.exe 1828 Bfkobj32.exe 472 Bocckoom.exe 1884 Bnhqll32.exe 2088 Bebiifka.exe 2472 Bnkmakbb.exe 1412 Bipaodah.exe 1936 Bnmjgkpo.exe 2344 Cgeopqfp.exe 3012 Cmbghgdg.exe 3068 Ccloea32.exe 2552 Cmdcngbd.exe 2896 Cgjhkpbj.exe 2776 Cpemob32.exe 3008 Cinahhff.exe 2948 Cbfeam32.exe 2764 Dlnjjc32.exe 2648 Dhekodik.exe 1632 Danohi32.exe 2496 Dkfcqo32.exe 2952 Dhjdjc32.exe 2404 Dmgmbj32.exe 2512 Dhlapc32.exe 2484 Dpgedepn.exe 2416 Epjbienl.exe 2008 Eibgbj32.exe 2916 Egfglocf.exe 2216 Ecmhqp32.exe 1528 Ecodfogg.exe 2600 Elgioe32.exe 2004 Fcaaloed.exe 3000 Fljfdd32.exe 836 Febjmj32.exe 1864 Fokofpif.exe 1536 Fdggofgn.exe 2852 Fjdpgnee.exe 2920 Fcmdpcle.exe 1240 Fjfllm32.exe 2796 Fdlqjf32.exe 1360 Gjiibm32.exe 1768 Gofajcog.exe 2368 Gjkfglom.exe 2296 Gohnpcmd.exe 2932 Ghqchi32.exe 1640 Iigehk32.exe 2000 Jffhec32.exe 2372 Jkdalb32.exe 340 Kphpdhdh.exe 1076 Keehmobp.exe 1056 Kommediq.exe 844 Kkdnke32.exe -
Loads dropped DLL 64 IoCs
pid Process 612 09a64b94c401946efab49ace111c8050N.exe 612 09a64b94c401946efab49ace111c8050N.exe 2784 Pdpcep32.exe 2784 Pdpcep32.exe 2792 Pllhib32.exe 2792 Pllhib32.exe 2888 Qchmll32.exe 2888 Qchmll32.exe 2780 Qlpadaac.exe 2780 Qlpadaac.exe 2676 Qamjmh32.exe 2676 Qamjmh32.exe 2448 Qkeofnfk.exe 2448 Qkeofnfk.exe 2392 Ahioobed.exe 2392 Ahioobed.exe 1344 Abachg32.exe 1344 Abachg32.exe 2492 Agolpnjl.exe 2492 Agolpnjl.exe 2976 Abdpngjb.exe 2976 Abdpngjb.exe 2508 Agaifnhi.exe 2508 Agaifnhi.exe 1676 Adeiobgc.exe 1676 Adeiobgc.exe 2192 Ampncd32.exe 2192 Ampncd32.exe 2460 Bjdnmi32.exe 2460 Bjdnmi32.exe 1828 Bfkobj32.exe 1828 Bfkobj32.exe 472 Bocckoom.exe 472 Bocckoom.exe 1884 Bnhqll32.exe 1884 Bnhqll32.exe 2088 Bebiifka.exe 2088 Bebiifka.exe 2472 Bnkmakbb.exe 2472 Bnkmakbb.exe 1412 Bipaodah.exe 1412 Bipaodah.exe 1936 Bnmjgkpo.exe 1936 Bnmjgkpo.exe 2344 Cgeopqfp.exe 2344 Cgeopqfp.exe 3012 Cmbghgdg.exe 3012 Cmbghgdg.exe 3068 Ccloea32.exe 3068 Ccloea32.exe 2552 Cmdcngbd.exe 2552 Cmdcngbd.exe 2896 Cgjhkpbj.exe 2896 Cgjhkpbj.exe 2776 Cpemob32.exe 2776 Cpemob32.exe 3008 Cinahhff.exe 3008 Cinahhff.exe 2948 Cbfeam32.exe 2948 Cbfeam32.exe 2764 Dlnjjc32.exe 2764 Dlnjjc32.exe 2648 Dhekodik.exe 2648 Dhekodik.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbolge32.exe Bgihjl32.exe File opened for modification C:\Windows\SysWOW64\Hfiofefm.exe Glajmppm.exe File created C:\Windows\SysWOW64\Mlcekgbb.exe Mckpba32.exe File created C:\Windows\SysWOW64\Bmnqaanm.dll Apapcnaf.exe File created C:\Windows\SysWOW64\Mojaceln.exe Mpeebhhf.exe File created C:\Windows\SysWOW64\Bjpjnd32.dll Ginefe32.exe File created C:\Windows\SysWOW64\Pieobaiq.exe Oicbma32.exe File created C:\Windows\SysWOW64\Fdjlhdag.dll Adeiobgc.exe File opened for modification C:\Windows\SysWOW64\Bbolge32.exe Bgihjl32.exe File created C:\Windows\SysWOW64\Poinfpdk.dll Flhkhnel.exe File opened for modification C:\Windows\SysWOW64\Cmbghgdg.exe Cgeopqfp.exe File created C:\Windows\SysWOW64\Lomidgkl.exe Lfedlb32.exe File created C:\Windows\SysWOW64\Fcgdjmlo.exe Feccqime.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Lcmopepp.exe File created C:\Windows\SysWOW64\Lgmhbloc.dll Bnhjae32.exe File created C:\Windows\SysWOW64\Oljagk32.dll Jfadoaih.exe File opened for modification C:\Windows\SysWOW64\Ckopch32.exe Bqilfp32.exe File opened for modification C:\Windows\SysWOW64\Kommediq.exe Keehmobp.exe File created C:\Windows\SysWOW64\Ldokhn32.exe Lcmopepp.exe File created C:\Windows\SysWOW64\Pnqligpm.dll Phoeomjc.exe File opened for modification C:\Windows\SysWOW64\Mknohpqj.exe Maejpj32.exe File created C:\Windows\SysWOW64\Oelnfp32.dll Fdlqjf32.exe File created C:\Windows\SysWOW64\Omjeba32.exe Onehadbj.exe File created C:\Windows\SysWOW64\Apapcnaf.exe Ajghgd32.exe File created C:\Windows\SysWOW64\Khnqbhdi.exe Kgjgepqm.exe File opened for modification C:\Windows\SysWOW64\Niombolm.exe Ncbdjhnf.exe File created C:\Windows\SysWOW64\Egmqcllm.dll Ajjeld32.exe File created C:\Windows\SysWOW64\Blonkf32.dll Ehgmiq32.exe File created C:\Windows\SysWOW64\Nfighccb.dll Onmgeb32.exe File created C:\Windows\SysWOW64\Ebkndibq.exe Dfpcdh32.exe File created C:\Windows\SysWOW64\Jkocglhl.dll Gpfpmonn.exe File created C:\Windows\SysWOW64\Bfkobj32.exe Bjdnmi32.exe File created C:\Windows\SysWOW64\Fokofpif.exe Febjmj32.exe File created C:\Windows\SysWOW64\Gcflig32.dll Bnqcaffa.exe File created C:\Windows\SysWOW64\Goekpm32.exe Gdpfbd32.exe File created C:\Windows\SysWOW64\Mkkmkf32.dll Nfeljlqh.exe File created C:\Windows\SysWOW64\Ehpgha32.exe Dmffhd32.exe File created C:\Windows\SysWOW64\Kplfmfmf.exe Kdeehe32.exe File created C:\Windows\SysWOW64\Eapgpd32.dll Aodjdede.exe File opened for modification C:\Windows\SysWOW64\Bqilfp32.exe Bkmcni32.exe File created C:\Windows\SysWOW64\Dopakpaf.dll Jajbfeop.exe File opened for modification C:\Windows\SysWOW64\Bfkobj32.exe Bjdnmi32.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jffhec32.exe File created C:\Windows\SysWOW64\Qgckhoib.dll Kommediq.exe File opened for modification C:\Windows\SysWOW64\Nbbhpegc.exe Nijcgp32.exe File created C:\Windows\SysWOW64\Kifgllbc.exe Kmpfgklo.exe File created C:\Windows\SysWOW64\Mcinbihe.dll Kifgllbc.exe File opened for modification C:\Windows\SysWOW64\Gpfpmonn.exe Gkfkoi32.exe File opened for modification C:\Windows\SysWOW64\Cqfdem32.exe Chkpakla.exe File opened for modification C:\Windows\SysWOW64\Ekppjmia.exe Ebekej32.exe File opened for modification C:\Windows\SysWOW64\Ibjikk32.exe Hibebeqb.exe File created C:\Windows\SysWOW64\Alcqcjgd.exe Qkcdigpa.exe File opened for modification C:\Windows\SysWOW64\Cblniaii.exe Colegflh.exe File created C:\Windows\SysWOW64\Ogdbjhgb.dll Qicoleno.exe File created C:\Windows\SysWOW64\Phoeomjc.exe Pogaeg32.exe File opened for modification C:\Windows\SysWOW64\Ndfppije.exe Nkmkgc32.exe File opened for modification C:\Windows\SysWOW64\Eakjophb.exe Egbffj32.exe File created C:\Windows\SysWOW64\Agnbbk32.dll Dhjdjc32.exe File opened for modification C:\Windows\SysWOW64\Ecodfogg.exe Ecmhqp32.exe File created C:\Windows\SysWOW64\Nbbhpegc.exe Nijcgp32.exe File opened for modification C:\Windows\SysWOW64\Pahjgb32.exe Phoeomjc.exe File created C:\Windows\SysWOW64\Jbdlphnb.dll Dpjhcj32.exe File opened for modification C:\Windows\SysWOW64\Fbdpjgjf.exe Flhkhnel.exe File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe Nmkbfmpf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4420 612 WerFault.exe 393 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpemob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdggofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfcoedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdefgimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpmhdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblniaii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fialggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobhillo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcekgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebiifka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmeojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfhpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnipal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodjdede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgogfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkpakla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcqcjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioapnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colegflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfppije.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdakoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpfgklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapikqel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngppgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdpngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdpcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difplf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmjgkpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdcngbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmbjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfedlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iganmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkfglom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqciha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkmho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imepgbnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjkiamp.dll" Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmfab32.dll" Ckopch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlema32.dll" Mffgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojldok32.dll" Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daelem32.dll" Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncgaman.dll" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pieobaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfqak32.dll" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakchb32.dll" Mhmfgdch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghnaaljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjjogi.dll" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmplgki.dll" Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll" Jnojjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcgpi32.dll" Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgkop32.dll" Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfonfdla.dll" Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflhfbdc.dll" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcmkoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iceiibef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feiefo32.dll" Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdqfaiab.dll" Bambjnfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pllhib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fokofpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jffhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nodnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepdfd32.dll" Bdiaqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adeiobgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhekodik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koehka32.dll" Hfmbfkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbicp32.dll" Joepjokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecodfogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekdej32.dll" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpeai32.dll" Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qicoleno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eodknifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmigi32.dll" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anekin32.dll" Ahpdficc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qamjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekmid32.dll" Imfgahao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofcldoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhbolin.dll" Jkdalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alknnodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfkdik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkmkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" Mojaceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mknohpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeofa32.dll" Qkcdigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opennf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkmcni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhmfgdch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eakjophb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjiibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lndlamke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 612 wrote to memory of 2784 612 09a64b94c401946efab49ace111c8050N.exe 29 PID 612 wrote to memory of 2784 612 09a64b94c401946efab49ace111c8050N.exe 29 PID 612 wrote to memory of 2784 612 09a64b94c401946efab49ace111c8050N.exe 29 PID 612 wrote to memory of 2784 612 09a64b94c401946efab49ace111c8050N.exe 29 PID 2784 wrote to memory of 2792 2784 Pdpcep32.exe 30 PID 2784 wrote to memory of 2792 2784 Pdpcep32.exe 30 PID 2784 wrote to memory of 2792 2784 Pdpcep32.exe 30 PID 2784 wrote to memory of 2792 2784 Pdpcep32.exe 30 PID 2792 wrote to memory of 2888 2792 Pllhib32.exe 31 PID 2792 wrote to memory of 2888 2792 Pllhib32.exe 31 PID 2792 wrote to memory of 2888 2792 Pllhib32.exe 31 PID 2792 wrote to memory of 2888 2792 Pllhib32.exe 31 PID 2888 wrote to memory of 2780 2888 Qchmll32.exe 32 PID 2888 wrote to memory of 2780 2888 Qchmll32.exe 32 PID 2888 wrote to memory of 2780 2888 Qchmll32.exe 32 PID 2888 wrote to memory of 2780 2888 Qchmll32.exe 32 PID 2780 wrote to memory of 2676 2780 Qlpadaac.exe 33 PID 2780 wrote to memory of 2676 2780 Qlpadaac.exe 33 PID 2780 wrote to memory of 2676 2780 Qlpadaac.exe 33 PID 2780 wrote to memory of 2676 2780 Qlpadaac.exe 33 PID 2676 wrote to memory of 2448 2676 Qamjmh32.exe 34 PID 2676 wrote to memory of 2448 2676 Qamjmh32.exe 34 PID 2676 wrote to memory of 2448 2676 Qamjmh32.exe 34 PID 2676 wrote to memory of 2448 2676 Qamjmh32.exe 34 PID 2448 wrote to memory of 2392 2448 Qkeofnfk.exe 35 PID 2448 wrote to memory of 2392 2448 Qkeofnfk.exe 35 PID 2448 wrote to memory of 2392 2448 Qkeofnfk.exe 35 PID 2448 wrote to memory of 2392 2448 Qkeofnfk.exe 35 PID 2392 wrote to memory of 1344 2392 Ahioobed.exe 36 PID 2392 wrote to memory of 1344 2392 Ahioobed.exe 36 PID 2392 wrote to memory of 1344 2392 Ahioobed.exe 36 PID 2392 wrote to memory of 1344 2392 Ahioobed.exe 36 PID 1344 wrote to memory of 2492 1344 Abachg32.exe 37 PID 1344 wrote to memory of 2492 1344 Abachg32.exe 37 PID 1344 wrote to memory of 2492 1344 Abachg32.exe 37 PID 1344 wrote to memory of 2492 1344 Abachg32.exe 37 PID 2492 wrote to memory of 2976 2492 Agolpnjl.exe 38 PID 2492 wrote to memory of 2976 2492 Agolpnjl.exe 38 PID 2492 wrote to memory of 2976 2492 Agolpnjl.exe 38 PID 2492 wrote to memory of 2976 2492 Agolpnjl.exe 38 PID 2976 wrote to memory of 2508 2976 Abdpngjb.exe 39 PID 2976 wrote to memory of 2508 2976 Abdpngjb.exe 39 PID 2976 wrote to memory of 2508 2976 Abdpngjb.exe 39 PID 2976 wrote to memory of 2508 2976 Abdpngjb.exe 39 PID 2508 wrote to memory of 1676 2508 Agaifnhi.exe 40 PID 2508 wrote to memory of 1676 2508 Agaifnhi.exe 40 PID 2508 wrote to memory of 1676 2508 Agaifnhi.exe 40 PID 2508 wrote to memory of 1676 2508 Agaifnhi.exe 40 PID 1676 wrote to memory of 2192 1676 Adeiobgc.exe 41 PID 1676 wrote to memory of 2192 1676 Adeiobgc.exe 41 PID 1676 wrote to memory of 2192 1676 Adeiobgc.exe 41 PID 1676 wrote to memory of 2192 1676 Adeiobgc.exe 41 PID 2192 wrote to memory of 2460 2192 Ampncd32.exe 42 PID 2192 wrote to memory of 2460 2192 Ampncd32.exe 42 PID 2192 wrote to memory of 2460 2192 Ampncd32.exe 42 PID 2192 wrote to memory of 2460 2192 Ampncd32.exe 42 PID 2460 wrote to memory of 1828 2460 Bjdnmi32.exe 43 PID 2460 wrote to memory of 1828 2460 Bjdnmi32.exe 43 PID 2460 wrote to memory of 1828 2460 Bjdnmi32.exe 43 PID 2460 wrote to memory of 1828 2460 Bjdnmi32.exe 43 PID 1828 wrote to memory of 472 1828 Bfkobj32.exe 44 PID 1828 wrote to memory of 472 1828 Bfkobj32.exe 44 PID 1828 wrote to memory of 472 1828 Bfkobj32.exe 44 PID 1828 wrote to memory of 472 1828 Bfkobj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a64b94c401946efab49ace111c8050N.exe"C:\Users\Admin\AppData\Local\Temp\09a64b94c401946efab49ace111c8050N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe33⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe34⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe36⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe37⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe38⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe39⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe40⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe44⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe45⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe46⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Fokofpif.exeC:\Windows\system32\Fokofpif.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe50⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe55⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Jkdalb32.exeC:\Windows\system32\Jkdalb32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe62⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe65⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe66⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe67⤵PID:620
-
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe68⤵PID:316
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe69⤵PID:2760
-
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe71⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe72⤵PID:2960
-
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe75⤵PID:1668
-
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe78⤵PID:1800
-
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe80⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe82⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe84⤵PID:3048
-
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe86⤵PID:2868
-
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe87⤵PID:2900
-
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe89⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe91⤵PID:2712
-
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe92⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe93⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe94⤵PID:2424
-
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe95⤵PID:2292
-
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe96⤵PID:1720
-
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe97⤵PID:1060
-
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe98⤵PID:2736
-
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe101⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe102⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe103⤵PID:2408
-
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1216 -
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe107⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe108⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe109⤵PID:2140
-
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe111⤵PID:2848
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe112⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe113⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe114⤵PID:2660
-
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe116⤵PID:2628
-
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe117⤵PID:2468
-
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe118⤵PID:1580
-
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe119⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-