Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 12:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4646e5e92a9910eaf6012e6492177190N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4646e5e92a9910eaf6012e6492177190N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4646e5e92a9910eaf6012e6492177190N.exe
-
Size
94KB
-
MD5
4646e5e92a9910eaf6012e6492177190
-
SHA1
1ac45b3f04d447a9e90fcc2b8598a59a4a96ba45
-
SHA256
1178ed4b6d65ce561f8a22c4fee84b737726cb94a11f227d447a757ff952c6cb
-
SHA512
53cc3e85baff5e5632fee82cbc6d077685b49077ec9e11477122e3542bfcc26853f88c55082d2f931e5eb252dfcab7991c0a703853c71796a63287e4f288cbc7
-
SSDEEP
1536:Od44PUUFcAGMow7mnVYWVQX+H/NZtWvzLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9N:E4ZYb9t7aVfH/NZtWLjH6KU90uGimj1g
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecmfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefikg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecobmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbgkgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhdlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikicikap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoakckp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkilgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemmenhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpidai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdoocdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplebjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enngdgim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqkjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiimfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgibd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpeoakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenioenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlaomae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnlcnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abaaoodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffiepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loocanbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkejnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfceom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcppgbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiflpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hengep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpoofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ninjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cipleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dooqceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfnlcnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibgfjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndoifdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfihml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpengf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooqceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmcpjfcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmeecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfcjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abldccka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpclica.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Blaobmkq.exe 1884 Cggcofkf.exe 2216 Cggcofkf.exe 2100 Cobhdhha.exe 2956 Capdpcge.exe 1976 Ckiiiine.exe 3064 Cabaec32.exe 492 Caenkc32.exe 1700 Cdcjgnbc.exe 3044 Cgbfcjag.exe 2088 Cpjklo32.exe 2272 Ckpoih32.exe 700 Dnnkec32.exe 2400 Dckcnj32.exe 2056 Djeljd32.exe 1180 Ddjphm32.exe 2188 Dcmpcjcf.exe 1940 Dleelp32.exe 1344 Dodahk32.exe 1932 Dfniee32.exe 1912 Dlhaaogd.exe 2764 Dofnnkfg.exe 2656 Dbejjfek.exe 2440 Doijcjde.exe 1924 Dcdfdi32.exe 1684 Elmkmo32.exe 2800 Enngdgim.exe 2708 Efeoedjo.exe 2964 Eblpke32.exe 2552 Eqopfbfn.exe 2148 Ekddck32.exe 1916 Ecoihm32.exe 1264 Ekfaij32.exe 2912 Enenef32.exe 1676 Edofbpja.exe 2284 Engjkeab.exe 2460 Fqffgapf.exe 584 Fjnkpf32.exe 2316 Fcfohlmg.exe 2120 Fbipdi32.exe 1492 Ffeldglk.exe 1404 Fblljhbo.exe 1980 Fejifdab.exe 2128 Fnbmoi32.exe 1208 Ffiepg32.exe 2456 Fhkagonc.exe 1000 Fpbihl32.exe 2028 Fnejdiep.exe 2076 Fbpfeh32.exe 2852 Fijnabef.exe 2940 Gjljij32.exe 2704 Gbbbjg32.exe 2712 Geaofc32.exe 1356 Ghpkbn32.exe 1984 Gjngoj32.exe 2204 Gnicoh32.exe 3056 Gecklbih.exe 2668 Gdflgo32.exe 1280 Gjpddigo.exe 1608 Gmoppefc.exe 1628 Gdihmo32.exe 2628 Ghddnnfi.exe 1500 Gmamfddp.exe 612 Gpoibp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2164 4646e5e92a9910eaf6012e6492177190N.exe 2164 4646e5e92a9910eaf6012e6492177190N.exe 2332 Blaobmkq.exe 2332 Blaobmkq.exe 1884 Cggcofkf.exe 1884 Cggcofkf.exe 2216 Cggcofkf.exe 2216 Cggcofkf.exe 2100 Cobhdhha.exe 2100 Cobhdhha.exe 2956 Capdpcge.exe 2956 Capdpcge.exe 1976 Ckiiiine.exe 1976 Ckiiiine.exe 3064 Cabaec32.exe 3064 Cabaec32.exe 492 Caenkc32.exe 492 Caenkc32.exe 1700 Cdcjgnbc.exe 1700 Cdcjgnbc.exe 3044 Cgbfcjag.exe 3044 Cgbfcjag.exe 2088 Cpjklo32.exe 2088 Cpjklo32.exe 2272 Ckpoih32.exe 2272 Ckpoih32.exe 700 Dnnkec32.exe 700 Dnnkec32.exe 2400 Dckcnj32.exe 2400 Dckcnj32.exe 2056 Djeljd32.exe 2056 Djeljd32.exe 1180 Ddjphm32.exe 1180 Ddjphm32.exe 2188 Dcmpcjcf.exe 2188 Dcmpcjcf.exe 1940 Dleelp32.exe 1940 Dleelp32.exe 1344 Dodahk32.exe 1344 Dodahk32.exe 1932 Dfniee32.exe 1932 Dfniee32.exe 1912 Dlhaaogd.exe 1912 Dlhaaogd.exe 2764 Dofnnkfg.exe 2764 Dofnnkfg.exe 2656 Dbejjfek.exe 2656 Dbejjfek.exe 2440 Doijcjde.exe 2440 Doijcjde.exe 1924 Dcdfdi32.exe 1924 Dcdfdi32.exe 1684 Elmkmo32.exe 1684 Elmkmo32.exe 2800 Enngdgim.exe 2800 Enngdgim.exe 2708 Efeoedjo.exe 2708 Efeoedjo.exe 2964 Eblpke32.exe 2964 Eblpke32.exe 2552 Eqopfbfn.exe 2552 Eqopfbfn.exe 2148 Ekddck32.exe 2148 Ekddck32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmmgak32.dll Qbmhdp32.exe File created C:\Windows\SysWOW64\Abaaoodq.exe Anfeop32.exe File opened for modification C:\Windows\SysWOW64\Kngaig32.exe Kkhdml32.exe File created C:\Windows\SysWOW64\Ohbjgg32.exe Oecnkk32.exe File created C:\Windows\SysWOW64\Anfeop32.exe Akgibd32.exe File created C:\Windows\SysWOW64\Pmibhn32.dll Jkobgm32.exe File created C:\Windows\SysWOW64\Mcbmmbhb.exe Lpgqlc32.exe File opened for modification C:\Windows\SysWOW64\Bemmenhb.exe Bboahbio.exe File created C:\Windows\SysWOW64\Opfeoj32.dll Holldk32.exe File created C:\Windows\SysWOW64\Lpgqlc32.exe Lmhdph32.exe File opened for modification C:\Windows\SysWOW64\Fqkieogp.exe Fbiijb32.exe File created C:\Windows\SysWOW64\Mdhhbnhi.dll Idemkp32.exe File created C:\Windows\SysWOW64\Mldgbcoe.exe Mifkfhpa.exe File created C:\Windows\SysWOW64\Bhonin32.dll Fohphgce.exe File created C:\Windows\SysWOW64\Apcmlcin.dll Npcika32.exe File created C:\Windows\SysWOW64\Mhgimdld.dll Jdjgfomh.exe File created C:\Windows\SysWOW64\Nhakecld.exe Ninjjf32.exe File created C:\Windows\SysWOW64\Ipfkabpg.exe Iilceh32.exe File opened for modification C:\Windows\SysWOW64\Mpkjgckc.exe Mmmnkglp.exe File opened for modification C:\Windows\SysWOW64\Gbdlnf32.exe Gpeoakhc.exe File opened for modification C:\Windows\SysWOW64\Hipmoc32.exe Hfaqbh32.exe File created C:\Windows\SysWOW64\Lajmkhai.exe Lnlaomae.exe File created C:\Windows\SysWOW64\Cpbnaj32.exe Capmemci.exe File opened for modification C:\Windows\SysWOW64\Gibmep32.exe Gfdaid32.exe File created C:\Windows\SysWOW64\Nldcagaq.exe Nifgekbm.exe File opened for modification C:\Windows\SysWOW64\Qbmhdp32.exe Qonlhd32.exe File created C:\Windows\SysWOW64\Epjqgm32.dll Hlecmkel.exe File opened for modification C:\Windows\SysWOW64\Ocfkaone.exe Ophoecoa.exe File created C:\Windows\SysWOW64\Jidbifmb.exe Igffmkno.exe File created C:\Windows\SysWOW64\Gnkqpnqp.dll Npkfff32.exe File created C:\Windows\SysWOW64\Agfnig32.dll Ckhbnb32.exe File created C:\Windows\SysWOW64\Dcjmcd32.exe Dooqceid.exe File created C:\Windows\SysWOW64\Jogneifn.dll Gindjqnc.exe File opened for modification C:\Windows\SysWOW64\Dglbmg32.exe Ddnfql32.exe File created C:\Windows\SysWOW64\Effhic32.exe Echlmh32.exe File created C:\Windows\SysWOW64\Dcdfdi32.exe Doijcjde.exe File created C:\Windows\SysWOW64\Ffeldglk.exe Fbipdi32.exe File opened for modification C:\Windows\SysWOW64\Nkjdcp32.exe Mlgdhcmb.exe File created C:\Windows\SysWOW64\Pipjpj32.exe Pgnnhbpm.exe File created C:\Windows\SysWOW64\Njaagp32.dll Onapdmma.exe File created C:\Windows\SysWOW64\Ncndladm.dll Efkbdbai.exe File opened for modification C:\Windows\SysWOW64\Dfniee32.exe Dodahk32.exe File created C:\Windows\SysWOW64\Cmfkkl32.dll Gpoibp32.exe File created C:\Windows\SysWOW64\Memlki32.exe Mbopon32.exe File created C:\Windows\SysWOW64\Onapdmma.exe Okcchbnn.exe File opened for modification C:\Windows\SysWOW64\Ihdmld32.exe Ijampgde.exe File created C:\Windows\SysWOW64\Cpkdfb32.dll Jhkclc32.exe File created C:\Windows\SysWOW64\Omjbihpn.exe Oingii32.exe File created C:\Windows\SysWOW64\Onmfin32.exe Oojfnakl.exe File created C:\Windows\SysWOW64\Elndpnnn.exe Enkdda32.exe File opened for modification C:\Windows\SysWOW64\Ockdmn32.exe Oophlpag.exe File created C:\Windows\SysWOW64\Gmcikd32.exe Gjemoi32.exe File created C:\Windows\SysWOW64\Lddkfl32.dll Pnfipm32.exe File created C:\Windows\SysWOW64\Fbiijb32.exe Fjaqhe32.exe File created C:\Windows\SysWOW64\Pdffecqf.dll Iagaod32.exe File opened for modification C:\Windows\SysWOW64\Gjpddigo.exe Gdflgo32.exe File created C:\Windows\SysWOW64\Ljfnnkkc.dll Kfgjdlme.exe File created C:\Windows\SysWOW64\Kgqlke32.dll Ecobmg32.exe File opened for modification C:\Windows\SysWOW64\Igffmkno.exe Ihcfan32.exe File created C:\Windows\SysWOW64\Phkfglid.dll Gphlgk32.exe File created C:\Windows\SysWOW64\Lgmekpmn.exe Lenioenj.exe File created C:\Windows\SysWOW64\Jkllnn32.exe Jgppmpjp.exe File created C:\Windows\SysWOW64\Lnnndl32.exe Ljcbcngi.exe File created C:\Windows\SysWOW64\Plbbmj32.dll Mbopon32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6628 6512 WerFault.exe 640 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honiikpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnhmdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcppgbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpdpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaqhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memlki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnkkmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblljhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbmco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capmemci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnejdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecmfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckflc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjihdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlogjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liboodmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenioenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfklepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbiijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoajgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicikap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgkcccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkcod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdaid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibadnhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqopfbfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqemeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgppmpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaoodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglbmg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqicph32.dll" Dcdfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehebqm32.dll" Gjljij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghenamai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihpflaf.dll" Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokbo32.dll" Jkllnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbopon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgahgaj.dll" Fhkagonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfhnm32.dll" Onmfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgoaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpngmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpkkhei.dll" Pqdelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kphipide.dll" Dooqceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcqoqi32.dll" Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpmijpp.dll" Hbekojlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcppgbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbfcl32.dll" Ohmalgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcocgkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll" Nickoldp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfabpac.dll" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqifajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdlcl32.dll" Mgoaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfmahkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhdqma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccadla32.dll" Mioeeifi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elejqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjkiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccmhojk.dll" Lnqkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll" Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qonlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmapcm32.dll" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oobiclmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohmalgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcgkcccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfnig32.dll" Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecmfopg.dll" Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihijhpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmnkglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplkah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemmenhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlbaljhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgahboge.dll" Gibmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Degjpgmg.dll" Jpnkep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocihgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcpoa32.dll" Mfebdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmkph32.dll" Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapjpi32.dll" Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigef32.dll" Lndqbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kepgjk32.dll" Midnqh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2332 2164 4646e5e92a9910eaf6012e6492177190N.exe 30 PID 2164 wrote to memory of 2332 2164 4646e5e92a9910eaf6012e6492177190N.exe 30 PID 2164 wrote to memory of 2332 2164 4646e5e92a9910eaf6012e6492177190N.exe 30 PID 2164 wrote to memory of 2332 2164 4646e5e92a9910eaf6012e6492177190N.exe 30 PID 2332 wrote to memory of 1884 2332 Blaobmkq.exe 31 PID 2332 wrote to memory of 1884 2332 Blaobmkq.exe 31 PID 2332 wrote to memory of 1884 2332 Blaobmkq.exe 31 PID 2332 wrote to memory of 1884 2332 Blaobmkq.exe 31 PID 1884 wrote to memory of 2216 1884 Cggcofkf.exe 32 PID 1884 wrote to memory of 2216 1884 Cggcofkf.exe 32 PID 1884 wrote to memory of 2216 1884 Cggcofkf.exe 32 PID 1884 wrote to memory of 2216 1884 Cggcofkf.exe 32 PID 2216 wrote to memory of 2100 2216 Cggcofkf.exe 33 PID 2216 wrote to memory of 2100 2216 Cggcofkf.exe 33 PID 2216 wrote to memory of 2100 2216 Cggcofkf.exe 33 PID 2216 wrote to memory of 2100 2216 Cggcofkf.exe 33 PID 2100 wrote to memory of 2956 2100 Cobhdhha.exe 34 PID 2100 wrote to memory of 2956 2100 Cobhdhha.exe 34 PID 2100 wrote to memory of 2956 2100 Cobhdhha.exe 34 PID 2100 wrote to memory of 2956 2100 Cobhdhha.exe 34 PID 2956 wrote to memory of 1976 2956 Capdpcge.exe 35 PID 2956 wrote to memory of 1976 2956 Capdpcge.exe 35 PID 2956 wrote to memory of 1976 2956 Capdpcge.exe 35 PID 2956 wrote to memory of 1976 2956 Capdpcge.exe 35 PID 1976 wrote to memory of 3064 1976 Ckiiiine.exe 36 PID 1976 wrote to memory of 3064 1976 Ckiiiine.exe 36 PID 1976 wrote to memory of 3064 1976 Ckiiiine.exe 36 PID 1976 wrote to memory of 3064 1976 Ckiiiine.exe 36 PID 3064 wrote to memory of 492 3064 Cabaec32.exe 37 PID 3064 wrote to memory of 492 3064 Cabaec32.exe 37 PID 3064 wrote to memory of 492 3064 Cabaec32.exe 37 PID 3064 wrote to memory of 492 3064 Cabaec32.exe 37 PID 492 wrote to memory of 1700 492 Caenkc32.exe 38 PID 492 wrote to memory of 1700 492 Caenkc32.exe 38 PID 492 wrote to memory of 1700 492 Caenkc32.exe 38 PID 492 wrote to memory of 1700 492 Caenkc32.exe 38 PID 1700 wrote to memory of 3044 1700 Cdcjgnbc.exe 39 PID 1700 wrote to memory of 3044 1700 Cdcjgnbc.exe 39 PID 1700 wrote to memory of 3044 1700 Cdcjgnbc.exe 39 PID 1700 wrote to memory of 3044 1700 Cdcjgnbc.exe 39 PID 3044 wrote to memory of 2088 3044 Cgbfcjag.exe 40 PID 3044 wrote to memory of 2088 3044 Cgbfcjag.exe 40 PID 3044 wrote to memory of 2088 3044 Cgbfcjag.exe 40 PID 3044 wrote to memory of 2088 3044 Cgbfcjag.exe 40 PID 2088 wrote to memory of 2272 2088 Cpjklo32.exe 41 PID 2088 wrote to memory of 2272 2088 Cpjklo32.exe 41 PID 2088 wrote to memory of 2272 2088 Cpjklo32.exe 41 PID 2088 wrote to memory of 2272 2088 Cpjklo32.exe 41 PID 2272 wrote to memory of 700 2272 Ckpoih32.exe 42 PID 2272 wrote to memory of 700 2272 Ckpoih32.exe 42 PID 2272 wrote to memory of 700 2272 Ckpoih32.exe 42 PID 2272 wrote to memory of 700 2272 Ckpoih32.exe 42 PID 700 wrote to memory of 2400 700 Dnnkec32.exe 43 PID 700 wrote to memory of 2400 700 Dnnkec32.exe 43 PID 700 wrote to memory of 2400 700 Dnnkec32.exe 43 PID 700 wrote to memory of 2400 700 Dnnkec32.exe 43 PID 2400 wrote to memory of 2056 2400 Dckcnj32.exe 44 PID 2400 wrote to memory of 2056 2400 Dckcnj32.exe 44 PID 2400 wrote to memory of 2056 2400 Dckcnj32.exe 44 PID 2400 wrote to memory of 2056 2400 Dckcnj32.exe 44 PID 2056 wrote to memory of 1180 2056 Djeljd32.exe 45 PID 2056 wrote to memory of 1180 2056 Djeljd32.exe 45 PID 2056 wrote to memory of 1180 2056 Djeljd32.exe 45 PID 2056 wrote to memory of 1180 2056 Djeljd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4646e5e92a9910eaf6012e6492177190N.exe"C:\Users\Admin\AppData\Local\Temp\4646e5e92a9910eaf6012e6492177190N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe33⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe35⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe36⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe37⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe38⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe39⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe40⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Ffeldglk.exeC:\Windows\system32\Ffeldglk.exe42⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe45⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Fhkagonc.exeC:\Windows\system32\Fhkagonc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Fnejdiep.exeC:\Windows\system32\Fnejdiep.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe50⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe51⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gjljij32.exeC:\Windows\system32\Gjljij32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Geaofc32.exeC:\Windows\system32\Geaofc32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe55⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe56⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gnicoh32.exeC:\Windows\system32\Gnicoh32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe58⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe60⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe61⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe62⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe63⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe64⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe66⤵PID:2768
-
C:\Windows\SysWOW64\Gjemoi32.exeC:\Windows\system32\Gjemoi32.exe67⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe68⤵PID:2824
-
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe69⤵PID:2200
-
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe71⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe73⤵PID:2232
-
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Heakefnf.exeC:\Windows\system32\Heakefnf.exe75⤵PID:3036
-
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe76⤵PID:2392
-
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe77⤵PID:1184
-
C:\Windows\SysWOW64\Hbekojlp.exeC:\Windows\system32\Hbekojlp.exe78⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe79⤵PID:852
-
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe80⤵PID:1632
-
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe81⤵PID:988
-
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe83⤵PID:1760
-
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe85⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe86⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe87⤵PID:2696
-
C:\Windows\SysWOW64\Hehafe32.exeC:\Windows\system32\Hehafe32.exe88⤵PID:2220
-
C:\Windows\SysWOW64\Hhfmbq32.exeC:\Windows\system32\Hhfmbq32.exe89⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Imcfjg32.exeC:\Windows\system32\Imcfjg32.exe91⤵PID:2748
-
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe92⤵PID:1716
-
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe93⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe94⤵PID:2012
-
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe95⤵PID:1992
-
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe96⤵PID:880
-
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe97⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe99⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe100⤵PID:2752
-
C:\Windows\SysWOW64\Icdhnn32.exeC:\Windows\system32\Icdhnn32.exe101⤵PID:2872
-
C:\Windows\SysWOW64\Ijopjhfh.exeC:\Windows\system32\Ijopjhfh.exe102⤵PID:2908
-
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe103⤵PID:1772
-
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe104⤵PID:344
-
C:\Windows\SysWOW64\Icgdcm32.exeC:\Windows\system32\Icgdcm32.exe105⤵PID:2396
-
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe106⤵
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe107⤵PID:1728
-
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe108⤵PID:1996
-
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe109⤵PID:1564
-
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe110⤵PID:2952
-
C:\Windows\SysWOW64\Jhfjadim.exeC:\Windows\system32\Jhfjadim.exe111⤵PID:2736
-
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe112⤵PID:1076
-
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe113⤵PID:2888
-
C:\Windows\SysWOW64\Jaonji32.exeC:\Windows\system32\Jaonji32.exe114⤵PID:2784
-
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe115⤵PID:2288
-
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe116⤵PID:1876
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Jbakpi32.exeC:\Windows\system32\Jbakpi32.exe118⤵PID:2424
-
C:\Windows\SysWOW64\Jflgph32.exeC:\Windows\system32\Jflgph32.exe119⤵PID:1824
-
C:\Windows\SysWOW64\Jhkclc32.exeC:\Windows\system32\Jhkclc32.exe120⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe121⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-