Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 02:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca3efa0b9b3605ec05105de6d981a4f0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ca3efa0b9b3605ec05105de6d981a4f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ca3efa0b9b3605ec05105de6d981a4f0N.exe
-
Size
401KB
-
MD5
ca3efa0b9b3605ec05105de6d981a4f0
-
SHA1
342e6a009a3395b531b83e3648ef382d268aa893
-
SHA256
7a902ee5beae05b0b85fd1dec1d912cc35aa07e0c2970904a9d2ac88405df1c7
-
SHA512
8bfcc575b91066b1b1bc1ba49d4c0ae3b24fcb110417c35b7361601f84a3b4aa79a383d22b3d790703edd7993c8cb646316fd058ae52d95b88d16813273d1e4c
-
SSDEEP
6144:XffMeWvDDwHo+ndpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836PGyA7:X3avD0pndpV6yYP4rbpV6yYPg058KrY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipomlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koipglep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmabjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napbjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfmkbebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmabjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgnnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foahmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmollme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkolakkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcknhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhgbid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfieigio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olpbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdmkoepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakhdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lanbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feachqgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjifodii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bddbjhlp.exe -
Executes dropped EXE 64 IoCs
pid Process 2300 Hlgimqhf.exe 2136 Iliebpfc.exe 2292 Ihpfgalh.exe 2800 Ijnbcmkk.exe 2864 Inlkik32.exe 2712 Ijclol32.exe 2720 Ijehdl32.exe 1624 Jbqmhnbo.exe 1632 Jeafjiop.exe 1620 Jgabdlfb.exe 988 Jajcdjca.exe 2356 Jbjpom32.exe 1404 Jehlkhig.exe 1412 Kncaojfb.exe 980 Khkbbc32.exe 1196 Kadfkhkf.exe 1456 Kddomchg.exe 1020 Kffldlne.exe 2256 Kpkpadnl.exe 876 Ljddjj32.exe 1496 Lhiakf32.exe 2144 Lkgngb32.exe 2888 Lkjjma32.exe 2852 Lnhgim32.exe 2724 Lbcbjlmb.exe 2628 Lklgbadb.exe 2656 Lqipkhbj.exe 2676 Lhpglecl.exe 568 Mnmpdlac.exe 2532 Mqklqhpg.exe 1784 Mdghaf32.exe 1096 Mgedmb32.exe 1904 Mjcaimgg.exe 1884 Mmbmeifk.exe 1880 Mclebc32.exe 2152 Mfjann32.exe 392 Mobfgdcl.exe 1304 Mgjnhaco.exe 1484 Mikjpiim.exe 2504 Mqbbagjo.exe 872 Mpebmc32.exe 1656 Mfokinhf.exe 3028 Mjkgjl32.exe 2472 Mcckcbgp.exe 2692 Nfahomfd.exe 2804 Nipdkieg.exe 2816 Nmkplgnq.exe 2700 Nlnpgd32.exe 2616 Nnmlcp32.exe 2988 Nefdpjkl.exe 1908 Nlqmmd32.exe 2084 Nbjeinje.exe 1480 Neiaeiii.exe 1700 Nidmfh32.exe 2896 Nlcibc32.exe 1988 Nbmaon32.exe 1584 Napbjjom.exe 2544 Nhjjgd32.exe 1212 Njhfcp32.exe 900 Nncbdomg.exe 2960 Nenkqi32.exe 880 Ndqkleln.exe 2064 Njjcip32.exe 1608 Oadkej32.exe -
Loads dropped DLL 64 IoCs
pid Process 2232 ca3efa0b9b3605ec05105de6d981a4f0N.exe 2232 ca3efa0b9b3605ec05105de6d981a4f0N.exe 2300 Hlgimqhf.exe 2300 Hlgimqhf.exe 2136 Iliebpfc.exe 2136 Iliebpfc.exe 2292 Ihpfgalh.exe 2292 Ihpfgalh.exe 2800 Ijnbcmkk.exe 2800 Ijnbcmkk.exe 2864 Inlkik32.exe 2864 Inlkik32.exe 2712 Ijclol32.exe 2712 Ijclol32.exe 2720 Ijehdl32.exe 2720 Ijehdl32.exe 1624 Jbqmhnbo.exe 1624 Jbqmhnbo.exe 1632 Jeafjiop.exe 1632 Jeafjiop.exe 1620 Jgabdlfb.exe 1620 Jgabdlfb.exe 988 Jajcdjca.exe 988 Jajcdjca.exe 2356 Jbjpom32.exe 2356 Jbjpom32.exe 1404 Jehlkhig.exe 1404 Jehlkhig.exe 1412 Kncaojfb.exe 1412 Kncaojfb.exe 980 Khkbbc32.exe 980 Khkbbc32.exe 1196 Kadfkhkf.exe 1196 Kadfkhkf.exe 1456 Kddomchg.exe 1456 Kddomchg.exe 1020 Kffldlne.exe 1020 Kffldlne.exe 2256 Kpkpadnl.exe 2256 Kpkpadnl.exe 876 Ljddjj32.exe 876 Ljddjj32.exe 1496 Lhiakf32.exe 1496 Lhiakf32.exe 2144 Lkgngb32.exe 2144 Lkgngb32.exe 2888 Lkjjma32.exe 2888 Lkjjma32.exe 2852 Lnhgim32.exe 2852 Lnhgim32.exe 2724 Lbcbjlmb.exe 2724 Lbcbjlmb.exe 2628 Lklgbadb.exe 2628 Lklgbadb.exe 2656 Lqipkhbj.exe 2656 Lqipkhbj.exe 2676 Lhpglecl.exe 2676 Lhpglecl.exe 568 Mnmpdlac.exe 568 Mnmpdlac.exe 2532 Mqklqhpg.exe 2532 Mqklqhpg.exe 1784 Mdghaf32.exe 1784 Mdghaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jokbld32.dll Gqlhkofn.exe File created C:\Windows\SysWOW64\Koipglep.exe Kljdkpfl.exe File created C:\Windows\SysWOW64\Dggajf32.dll Opfegp32.exe File created C:\Windows\SysWOW64\Qjqkek32.dll Apkgpf32.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gncnmane.exe File created C:\Windows\SysWOW64\Inhdgdmk.exe Ikjhki32.exe File created C:\Windows\SysWOW64\Pdkiofep.dll Bjmeiq32.exe File created C:\Windows\SysWOW64\Foahmh32.exe Fhgppnan.exe File created C:\Windows\SysWOW64\Fgmkef32.dll Ipomlm32.exe File opened for modification C:\Windows\SysWOW64\Ppddpd32.exe Paaddgkj.exe File created C:\Windows\SysWOW64\Daadna32.dll Hclfag32.exe File created C:\Windows\SysWOW64\Kambcbhb.exe Kbjbge32.exe File opened for modification C:\Windows\SysWOW64\Aaimopli.exe Allefimb.exe File created C:\Windows\SysWOW64\Ibkmchbh.exe Ipmqgmcd.exe File created C:\Windows\SysWOW64\Bogjaamh.exe Bhmaeg32.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mgjnhaco.exe File opened for modification C:\Windows\SysWOW64\Flocfmnl.exe Eipgjaoi.exe File created C:\Windows\SysWOW64\Dhnhab32.dll Eicpcm32.exe File created C:\Windows\SysWOW64\Nncgkioi.dll Gncnmane.exe File opened for modification C:\Windows\SysWOW64\Qcogbdkg.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Ibeghl32.dll Klfjpa32.exe File opened for modification C:\Windows\SysWOW64\Ldheebad.exe Kajiigba.exe File created C:\Windows\SysWOW64\Giaidnkf.exe Gefmcp32.exe File created C:\Windows\SysWOW64\Knbbpakg.dll Kadfkhkf.exe File opened for modification C:\Windows\SysWOW64\Lbcbjlmb.exe Lnhgim32.exe File created C:\Windows\SysWOW64\Nfigck32.exe Nggggoda.exe File opened for modification C:\Windows\SysWOW64\Cdmepgce.exe Cqaiph32.exe File opened for modification C:\Windows\SysWOW64\Jabponba.exe Jikhnaao.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Clojhf32.exe File created C:\Windows\SysWOW64\Figmjq32.exe Felajbpg.exe File created C:\Windows\SysWOW64\Bfcodkcb.exe Bnlgbnbp.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nncbdomg.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Dfmeccao.exe File created C:\Windows\SysWOW64\Kqacnpdp.dll Hgciff32.exe File created C:\Windows\SysWOW64\Daplkmbg.exe Dmepkn32.exe File opened for modification C:\Windows\SysWOW64\Coicfd32.exe Ciokijfd.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pohhna32.exe File created C:\Windows\SysWOW64\Kajiigba.exe Kokmmkcm.exe File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe Bnlgbnbp.exe File created C:\Windows\SysWOW64\Gecpnp32.exe Ggapbcne.exe File opened for modification C:\Windows\SysWOW64\Iediin32.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jajcdjca.exe File opened for modification C:\Windows\SysWOW64\Mfokinhf.exe Mpebmc32.exe File created C:\Windows\SysWOW64\Bmblbf32.dll Fkcilc32.exe File created C:\Windows\SysWOW64\Cfhkhd32.exe Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Dbdehdfc.exe Dpeiligo.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Napbjjom.exe File created C:\Windows\SysWOW64\Ongcaafk.dll Dfcgbb32.exe File created C:\Windows\SysWOW64\Eeagimdf.exe Eafkhn32.exe File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe Iogpag32.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Bhjlli32.exe File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe Kpdcfoph.exe File opened for modification C:\Windows\SysWOW64\Adipfd32.exe Apmcefmf.exe File created C:\Windows\SysWOW64\Plmcfpfk.dll Debadpeg.exe File created C:\Windows\SysWOW64\Aeqbijmn.dll Nflchkii.exe File created C:\Windows\SysWOW64\Fflkbagk.dll Jlkglm32.exe File created C:\Windows\SysWOW64\Ldahkaij.exe Lljpjchg.exe File created C:\Windows\SysWOW64\Ieibdnnp.exe Inojhc32.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Kocpbfei.exe File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Cmedlk32.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jfdhmk32.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qcachc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6944 6160 WerFault.exe 687 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeqopcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcmedli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdegfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjdpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehlkhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnibcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbmeifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofbhgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khohkamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaddgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgghac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offmipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdmjamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeldkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcjedcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaimopli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohbak32.dll" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaaeimj.dll" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nggggoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblkei32.dll" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofnpnkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaihg32.dll" Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofpgamj.dll" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neniei32.dll" Daplkmbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Phcilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlojnpb.dll" Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblmdj32.dll" Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll" Ofhjopbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fchkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoenh32.dll" Lgkkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll" Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npbklabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elibpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkcilc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgejcl32.dll" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnbejb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipjdameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elkofg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ielqinkm.dll" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicjoa32.dll" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iediin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeafjiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piliii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdpcokdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkggbgh.dll" Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnealjn.dll" Mdmkoepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdceqkca.dll" Mcfemmna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daeclf32.dll" Ajehnk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2300 2232 ca3efa0b9b3605ec05105de6d981a4f0N.exe 30 PID 2232 wrote to memory of 2300 2232 ca3efa0b9b3605ec05105de6d981a4f0N.exe 30 PID 2232 wrote to memory of 2300 2232 ca3efa0b9b3605ec05105de6d981a4f0N.exe 30 PID 2232 wrote to memory of 2300 2232 ca3efa0b9b3605ec05105de6d981a4f0N.exe 30 PID 2300 wrote to memory of 2136 2300 Hlgimqhf.exe 31 PID 2300 wrote to memory of 2136 2300 Hlgimqhf.exe 31 PID 2300 wrote to memory of 2136 2300 Hlgimqhf.exe 31 PID 2300 wrote to memory of 2136 2300 Hlgimqhf.exe 31 PID 2136 wrote to memory of 2292 2136 Iliebpfc.exe 32 PID 2136 wrote to memory of 2292 2136 Iliebpfc.exe 32 PID 2136 wrote to memory of 2292 2136 Iliebpfc.exe 32 PID 2136 wrote to memory of 2292 2136 Iliebpfc.exe 32 PID 2292 wrote to memory of 2800 2292 Ihpfgalh.exe 33 PID 2292 wrote to memory of 2800 2292 Ihpfgalh.exe 33 PID 2292 wrote to memory of 2800 2292 Ihpfgalh.exe 33 PID 2292 wrote to memory of 2800 2292 Ihpfgalh.exe 33 PID 2800 wrote to memory of 2864 2800 Ijnbcmkk.exe 34 PID 2800 wrote to memory of 2864 2800 Ijnbcmkk.exe 34 PID 2800 wrote to memory of 2864 2800 Ijnbcmkk.exe 34 PID 2800 wrote to memory of 2864 2800 Ijnbcmkk.exe 34 PID 2864 wrote to memory of 2712 2864 Inlkik32.exe 35 PID 2864 wrote to memory of 2712 2864 Inlkik32.exe 35 PID 2864 wrote to memory of 2712 2864 Inlkik32.exe 35 PID 2864 wrote to memory of 2712 2864 Inlkik32.exe 35 PID 2712 wrote to memory of 2720 2712 Ijclol32.exe 36 PID 2712 wrote to memory of 2720 2712 Ijclol32.exe 36 PID 2712 wrote to memory of 2720 2712 Ijclol32.exe 36 PID 2712 wrote to memory of 2720 2712 Ijclol32.exe 36 PID 2720 wrote to memory of 1624 2720 Ijehdl32.exe 38 PID 2720 wrote to memory of 1624 2720 Ijehdl32.exe 38 PID 2720 wrote to memory of 1624 2720 Ijehdl32.exe 38 PID 2720 wrote to memory of 1624 2720 Ijehdl32.exe 38 PID 1624 wrote to memory of 1632 1624 Jbqmhnbo.exe 39 PID 1624 wrote to memory of 1632 1624 Jbqmhnbo.exe 39 PID 1624 wrote to memory of 1632 1624 Jbqmhnbo.exe 39 PID 1624 wrote to memory of 1632 1624 Jbqmhnbo.exe 39 PID 1632 wrote to memory of 1620 1632 Jeafjiop.exe 40 PID 1632 wrote to memory of 1620 1632 Jeafjiop.exe 40 PID 1632 wrote to memory of 1620 1632 Jeafjiop.exe 40 PID 1632 wrote to memory of 1620 1632 Jeafjiop.exe 40 PID 1620 wrote to memory of 988 1620 Jgabdlfb.exe 41 PID 1620 wrote to memory of 988 1620 Jgabdlfb.exe 41 PID 1620 wrote to memory of 988 1620 Jgabdlfb.exe 41 PID 1620 wrote to memory of 988 1620 Jgabdlfb.exe 41 PID 988 wrote to memory of 2356 988 Jajcdjca.exe 42 PID 988 wrote to memory of 2356 988 Jajcdjca.exe 42 PID 988 wrote to memory of 2356 988 Jajcdjca.exe 42 PID 988 wrote to memory of 2356 988 Jajcdjca.exe 42 PID 2356 wrote to memory of 1404 2356 Jbjpom32.exe 43 PID 2356 wrote to memory of 1404 2356 Jbjpom32.exe 43 PID 2356 wrote to memory of 1404 2356 Jbjpom32.exe 43 PID 2356 wrote to memory of 1404 2356 Jbjpom32.exe 43 PID 1404 wrote to memory of 1412 1404 Jehlkhig.exe 44 PID 1404 wrote to memory of 1412 1404 Jehlkhig.exe 44 PID 1404 wrote to memory of 1412 1404 Jehlkhig.exe 44 PID 1404 wrote to memory of 1412 1404 Jehlkhig.exe 44 PID 1412 wrote to memory of 980 1412 Kncaojfb.exe 45 PID 1412 wrote to memory of 980 1412 Kncaojfb.exe 45 PID 1412 wrote to memory of 980 1412 Kncaojfb.exe 45 PID 1412 wrote to memory of 980 1412 Kncaojfb.exe 45 PID 980 wrote to memory of 1196 980 Khkbbc32.exe 46 PID 980 wrote to memory of 1196 980 Khkbbc32.exe 46 PID 980 wrote to memory of 1196 980 Khkbbc32.exe 46 PID 980 wrote to memory of 1196 980 Khkbbc32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca3efa0b9b3605ec05105de6d981a4f0N.exe"C:\Users\Admin\AppData\Local\Temp\ca3efa0b9b3605ec05105de6d981a4f0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe36⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe37⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe38⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe40⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe41⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe43⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe45⤵PID:2196
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe46⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe47⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe49⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe51⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe52⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe54⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe55⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe56⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe57⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe58⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe61⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe63⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe64⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe65⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe67⤵PID:2260
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe68⤵PID:2812
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe69⤵PID:2912
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe70⤵PID:2620
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe72⤵PID:1636
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe73⤵PID:1508
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe75⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe76⤵PID:2640
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe78⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe80⤵PID:1564
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe81⤵PID:2316
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe82⤵PID:2076
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe83⤵PID:488
-
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe84⤵PID:3068
-
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe85⤵PID:2612
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe86⤵PID:3000
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe87⤵PID:2344
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe88⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe89⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe90⤵PID:2448
-
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe91⤵PID:404
-
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe92⤵PID:1524
-
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe93⤵PID:884
-
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe94⤵PID:1672
-
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe95⤵
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe97⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe100⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe101⤵PID:2436
-
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe102⤵PID:2460
-
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe103⤵PID:1084
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe104⤵PID:1104
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe105⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe106⤵PID:2584
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe107⤵PID:2188
-
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe108⤵PID:2240
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe109⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe110⤵PID:2380
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe111⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe112⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1852 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe115⤵PID:472
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe116⤵PID:1972
-
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe117⤵PID:2908
-
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe118⤵
- Modifies registry class
PID:348 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe120⤵PID:660
-
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe121⤵PID:756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-