Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 02:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
-
Size
91KB
-
MD5
3cbb5415a6c882b1e8a71d93ab6c0ac0
-
SHA1
ebd21de777e7420f85f8b94bb8f7bb80e5038366
-
SHA256
0b247ed322275156fbd7ad46c49dea585cb0adad17ea4413fd6275cdccb3de9a
-
SHA512
bee18e0626f4ea74bdd3bbe0b01cd145848b6e21a25ea1435aa99ed78b14fcf4fe9c13dd18243d024e06bf80bfd18b3c7aa510d2363ca084f482c0e57abe9eed
-
SSDEEP
1536:jgBFU4PvuQzDUgbhv6zg2w7wutk6NdPCMwdghkOe+TMI:jWFru41hiz+htjHwihEP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnodgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhklna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heqimm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkcpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhhed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njalacon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgibdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncipjieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhpejbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clciod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmjid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imogcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imacijjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoaill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqapnjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbghhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgdgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifnhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjkphjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngilalk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkgldm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehdhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlemlnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaphmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnpddeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggiofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnqphhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkhjdde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgjdong.exe -
Executes dropped EXE 64 IoCs
pid Process 2716 Pfflql32.exe 1168 Pnmdbi32.exe 2584 Palpneop.exe 2576 Ppopja32.exe 2344 Qpamoa32.exe 2988 Qjfalj32.exe 2372 Qiiahgjh.exe 1248 Qbafalph.exe 2664 Aepbmhpl.exe 2944 Aohgfm32.exe 2548 Afpogk32.exe 1052 Allgoa32.exe 320 Abfoll32.exe 2124 Aipgifcp.exe 1932 Ahchdb32.exe 2532 Aaklmhak.exe 2052 Adjhicpo.exe 1036 Akdafn32.exe 3028 Aoomflpd.exe 1572 Anbmbi32.exe 1988 Aeiecfga.exe 2236 Aoaill32.exe 1760 Bapfhg32.exe 2856 Bpcfcddp.exe 2672 Bhjneadb.exe 1620 Bikjmj32.exe 2712 Bngfmhbj.exe 2560 Bgokfnij.exe 2572 Bkkgfm32.exe 2820 Bdckobhd.exe 2996 Bgahkngh.exe 1068 Blnpddeo.exe 1548 Bpjldc32.exe 2876 Bgddam32.exe 2888 Bjbqmi32.exe 2484 Bplijcle.exe 1144 Bckefnki.exe 2864 Chgnneiq.exe 2136 Clciod32.exe 1264 Cfknhi32.exe 2308 Chjjde32.exe 2452 Codbqonk.exe 904 Cbbomjnn.exe 328 Cdqkifmb.exe 2312 Ckkcep32.exe 1252 Cqglng32.exe 764 Chocodch.exe 3024 Cjppfl32.exe 2848 Cbghhj32.exe 2392 Cdedde32.exe 2608 Cchdpbog.exe 1964 Ckomqopi.exe 2912 Cjbmll32.exe 2184 Cmqihg32.exe 636 Ddhaie32.exe 2880 Dgfmep32.exe 2660 Dfinam32.exe 1672 Dnpebj32.exe 2164 Dmcfngde.exe 2152 Dcmnja32.exe 2288 Dghjkpck.exe 912 Djgfgkbo.exe 932 Dijfch32.exe 1776 Dqaode32.exe -
Loads dropped DLL 64 IoCs
pid Process 2772 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe 2772 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe 2716 Pfflql32.exe 2716 Pfflql32.exe 1168 Pnmdbi32.exe 1168 Pnmdbi32.exe 2584 Palpneop.exe 2584 Palpneop.exe 2576 Ppopja32.exe 2576 Ppopja32.exe 2344 Qpamoa32.exe 2344 Qpamoa32.exe 2988 Qjfalj32.exe 2988 Qjfalj32.exe 2372 Qiiahgjh.exe 2372 Qiiahgjh.exe 1248 Qbafalph.exe 1248 Qbafalph.exe 2664 Aepbmhpl.exe 2664 Aepbmhpl.exe 2944 Aohgfm32.exe 2944 Aohgfm32.exe 2548 Afpogk32.exe 2548 Afpogk32.exe 1052 Allgoa32.exe 1052 Allgoa32.exe 320 Abfoll32.exe 320 Abfoll32.exe 2124 Aipgifcp.exe 2124 Aipgifcp.exe 1932 Ahchdb32.exe 1932 Ahchdb32.exe 2532 Aaklmhak.exe 2532 Aaklmhak.exe 2052 Adjhicpo.exe 2052 Adjhicpo.exe 1036 Akdafn32.exe 1036 Akdafn32.exe 3028 Aoomflpd.exe 3028 Aoomflpd.exe 1572 Anbmbi32.exe 1572 Anbmbi32.exe 1988 Aeiecfga.exe 1988 Aeiecfga.exe 2236 Aoaill32.exe 2236 Aoaill32.exe 1760 Bapfhg32.exe 1760 Bapfhg32.exe 2856 Bpcfcddp.exe 2856 Bpcfcddp.exe 2672 Bhjneadb.exe 2672 Bhjneadb.exe 1620 Bikjmj32.exe 1620 Bikjmj32.exe 2712 Bngfmhbj.exe 2712 Bngfmhbj.exe 2560 Bgokfnij.exe 2560 Bgokfnij.exe 2572 Bkkgfm32.exe 2572 Bkkgfm32.exe 2820 Bdckobhd.exe 2820 Bdckobhd.exe 2996 Bgahkngh.exe 2996 Bgahkngh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jihdnk32.exe Jelhmlgm.exe File opened for modification C:\Windows\SysWOW64\Kngekdnf.exe Klhioioc.exe File created C:\Windows\SysWOW64\Cahcle32.dll Khojcj32.exe File created C:\Windows\SysWOW64\Onldqejb.exe Oknhdjko.exe File created C:\Windows\SysWOW64\Bedoacoi.dll Boleejag.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Camnge32.exe File created C:\Windows\SysWOW64\Jajdfk32.dll Cmqihg32.exe File created C:\Windows\SysWOW64\Ahadcefi.dll Enneln32.exe File created C:\Windows\SysWOW64\Ddppmclb.exe Dbadagln.exe File created C:\Windows\SysWOW64\Dbdagg32.exe Dnhefh32.exe File created C:\Windows\SysWOW64\Lpaehl32.exe Lmcilp32.exe File created C:\Windows\SysWOW64\Nceqcnpi.dll Dfkclf32.exe File created C:\Windows\SysWOW64\Epqgopbi.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Cifqgb32.dll Hnnjfo32.exe File created C:\Windows\SysWOW64\Fnejdq32.dll Iblola32.exe File opened for modification C:\Windows\SysWOW64\Qjfalj32.exe Qpamoa32.exe File opened for modification C:\Windows\SysWOW64\Apenjhfe.dll Mkdioh32.exe File opened for modification C:\Windows\SysWOW64\Kmclmm32.exe Kihpmnbb.exe File created C:\Windows\SysWOW64\Ldmaijdc.exe Lpaehl32.exe File created C:\Windows\SysWOW64\Neplhe32.dll Ppkmjlca.exe File opened for modification C:\Windows\SysWOW64\Djoeki32.exe Dklepmal.exe File created C:\Windows\SysWOW64\Dnpebj32.exe Dfinam32.exe File created C:\Windows\SysWOW64\Lblcge32.dll Flcojeak.exe File opened for modification C:\Windows\SysWOW64\Lgpfpe32.exe Ldbjdj32.exe File opened for modification C:\Windows\SysWOW64\Nhmbdl32.exe Npfjbn32.exe File created C:\Windows\SysWOW64\Aankboko.dll Clilmbhd.exe File created C:\Windows\SysWOW64\Ikkkijnk.dll Aohgfm32.exe File created C:\Windows\SysWOW64\Bgjbpi32.dll Chgnneiq.exe File opened for modification C:\Windows\SysWOW64\Hjlemlnk.exe Heqimm32.exe File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Jbphgpfg.exe File opened for modification C:\Windows\SysWOW64\Jahbmlil.exe Jmlfmn32.exe File created C:\Windows\SysWOW64\Ldbjdj32.exe Lpfnckhe.exe File created C:\Windows\SysWOW64\Dfkclf32.exe Doqkpl32.exe File opened for modification C:\Windows\SysWOW64\Ebknblho.exe Ejdfqogm.exe File created C:\Windows\SysWOW64\Gkpakq32.exe Ggdekbgb.exe File created C:\Windows\SysWOW64\Lpdankjg.exe Laaabo32.exe File opened for modification C:\Windows\SysWOW64\Bihgmdih.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Ckecpjdh.exe File created C:\Windows\SysWOW64\Qhalbm32.dll Ddmchcnd.exe File created C:\Windows\SysWOW64\Gffeolhl.dll Clciod32.exe File opened for modification C:\Windows\SysWOW64\Cqglng32.exe Ckkcep32.exe File created C:\Windows\SysWOW64\Joblkegc.exe Jkfpjf32.exe File created C:\Windows\SysWOW64\Lkelpd32.exe Lhfpdi32.exe File opened for modification C:\Windows\SysWOW64\Ahngomkd.exe Aeokba32.exe File opened for modification C:\Windows\SysWOW64\Ecmjid32.exe Ebknblho.exe File created C:\Windows\SysWOW64\Gajjhkgh.exe Gmnngl32.exe File created C:\Windows\SysWOW64\Jfhbig32.dll Ingmmn32.exe File opened for modification C:\Windows\SysWOW64\Keoabo32.exe Kflafbak.exe File created C:\Windows\SysWOW64\Lcfejhma.dll Koibpd32.exe File created C:\Windows\SysWOW64\Hhfdfc32.dll Mlmoilni.exe File created C:\Windows\SysWOW64\Odljflhj.dll Nnodgbed.exe File created C:\Windows\SysWOW64\Odflmp32.exe Oqkpmaif.exe File created C:\Windows\SysWOW64\Eehhiell.dll Cfknhi32.exe File created C:\Windows\SysWOW64\Copblmbb.dll Hhoeii32.exe File opened for modification C:\Windows\SysWOW64\Pbjifgcd.exe Ppkmjlca.exe File opened for modification C:\Windows\SysWOW64\Ahpddmia.exe Addhcn32.exe File created C:\Windows\SysWOW64\Dekqhpoi.dll Emeobj32.exe File opened for modification C:\Windows\SysWOW64\Flhhed32.exe Fhmldfdm.exe File created C:\Windows\SysWOW64\Fnjkajpb.dll Khagijcd.exe File opened for modification C:\Windows\SysWOW64\Lgnjke32.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Pmfjmake.exe Pncjad32.exe File opened for modification C:\Windows\SysWOW64\Qdpohodn.exe Qemomb32.exe File created C:\Windows\SysWOW64\Epmjjhhd.dll Qjfalj32.exe File opened for modification C:\Windows\SysWOW64\Docopbaf.exe Dqaode32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5932 5924 WerFault.exe 517 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgjdong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfebhmbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgcol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhmlgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclqqeaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfnnnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiecfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnqphhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcfcddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqaode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blipno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjomogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiebnjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqcmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppopja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnahilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapfhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmficl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohmonb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhfhec32.dll" Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfibfeh.dll" Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfnckhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcfngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idohdhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkinbcp.dll" Ejioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnpjc32.dll" Eaednh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfikokgf.dll" Aoaill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmidlmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmcebkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeaahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhdihjd.dll" Mcggef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnmik32.dll" Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfnb32.dll" Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apenjhfe.dll" Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boleejag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfdgq32.dll" Ijqjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njeelc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaloola.dll" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calonebc.dll" Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkbpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmoilni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhjjddo.dll" 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoaill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jailfk32.dll" Jahbmlil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhipkdd.dll" Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjeh32.dll" Ckecpjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jandaf32.dll" Ggiofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqapnjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfkihon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allapi32.dll" Palpneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmpji32.dll" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfigi32.dll" Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honlnbae.dll" Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaipj32.dll" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcqjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefmn32.dll" Hofqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkcccnb.dll" Addhcn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2716 2772 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe 30 PID 2772 wrote to memory of 2716 2772 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe 30 PID 2772 wrote to memory of 2716 2772 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe 30 PID 2772 wrote to memory of 2716 2772 3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe 30 PID 2716 wrote to memory of 1168 2716 Pfflql32.exe 31 PID 2716 wrote to memory of 1168 2716 Pfflql32.exe 31 PID 2716 wrote to memory of 1168 2716 Pfflql32.exe 31 PID 2716 wrote to memory of 1168 2716 Pfflql32.exe 31 PID 1168 wrote to memory of 2584 1168 Pnmdbi32.exe 32 PID 1168 wrote to memory of 2584 1168 Pnmdbi32.exe 32 PID 1168 wrote to memory of 2584 1168 Pnmdbi32.exe 32 PID 1168 wrote to memory of 2584 1168 Pnmdbi32.exe 32 PID 2584 wrote to memory of 2576 2584 Palpneop.exe 33 PID 2584 wrote to memory of 2576 2584 Palpneop.exe 33 PID 2584 wrote to memory of 2576 2584 Palpneop.exe 33 PID 2584 wrote to memory of 2576 2584 Palpneop.exe 33 PID 2576 wrote to memory of 2344 2576 Ppopja32.exe 34 PID 2576 wrote to memory of 2344 2576 Ppopja32.exe 34 PID 2576 wrote to memory of 2344 2576 Ppopja32.exe 34 PID 2576 wrote to memory of 2344 2576 Ppopja32.exe 34 PID 2344 wrote to memory of 2988 2344 Qpamoa32.exe 35 PID 2344 wrote to memory of 2988 2344 Qpamoa32.exe 35 PID 2344 wrote to memory of 2988 2344 Qpamoa32.exe 35 PID 2344 wrote to memory of 2988 2344 Qpamoa32.exe 35 PID 2988 wrote to memory of 2372 2988 Qjfalj32.exe 36 PID 2988 wrote to memory of 2372 2988 Qjfalj32.exe 36 PID 2988 wrote to memory of 2372 2988 Qjfalj32.exe 36 PID 2988 wrote to memory of 2372 2988 Qjfalj32.exe 36 PID 2372 wrote to memory of 1248 2372 Qiiahgjh.exe 37 PID 2372 wrote to memory of 1248 2372 Qiiahgjh.exe 37 PID 2372 wrote to memory of 1248 2372 Qiiahgjh.exe 37 PID 2372 wrote to memory of 1248 2372 Qiiahgjh.exe 37 PID 1248 wrote to memory of 2664 1248 Qbafalph.exe 38 PID 1248 wrote to memory of 2664 1248 Qbafalph.exe 38 PID 1248 wrote to memory of 2664 1248 Qbafalph.exe 38 PID 1248 wrote to memory of 2664 1248 Qbafalph.exe 38 PID 2664 wrote to memory of 2944 2664 Aepbmhpl.exe 39 PID 2664 wrote to memory of 2944 2664 Aepbmhpl.exe 39 PID 2664 wrote to memory of 2944 2664 Aepbmhpl.exe 39 PID 2664 wrote to memory of 2944 2664 Aepbmhpl.exe 39 PID 2944 wrote to memory of 2548 2944 Aohgfm32.exe 40 PID 2944 wrote to memory of 2548 2944 Aohgfm32.exe 40 PID 2944 wrote to memory of 2548 2944 Aohgfm32.exe 40 PID 2944 wrote to memory of 2548 2944 Aohgfm32.exe 40 PID 2548 wrote to memory of 1052 2548 Afpogk32.exe 41 PID 2548 wrote to memory of 1052 2548 Afpogk32.exe 41 PID 2548 wrote to memory of 1052 2548 Afpogk32.exe 41 PID 2548 wrote to memory of 1052 2548 Afpogk32.exe 41 PID 1052 wrote to memory of 320 1052 Allgoa32.exe 42 PID 1052 wrote to memory of 320 1052 Allgoa32.exe 42 PID 1052 wrote to memory of 320 1052 Allgoa32.exe 42 PID 1052 wrote to memory of 320 1052 Allgoa32.exe 42 PID 320 wrote to memory of 2124 320 Abfoll32.exe 43 PID 320 wrote to memory of 2124 320 Abfoll32.exe 43 PID 320 wrote to memory of 2124 320 Abfoll32.exe 43 PID 320 wrote to memory of 2124 320 Abfoll32.exe 43 PID 2124 wrote to memory of 1932 2124 Aipgifcp.exe 44 PID 2124 wrote to memory of 1932 2124 Aipgifcp.exe 44 PID 2124 wrote to memory of 1932 2124 Aipgifcp.exe 44 PID 2124 wrote to memory of 1932 2124 Aipgifcp.exe 44 PID 1932 wrote to memory of 2532 1932 Ahchdb32.exe 45 PID 1932 wrote to memory of 2532 1932 Ahchdb32.exe 45 PID 1932 wrote to memory of 2532 1932 Ahchdb32.exe 45 PID 1932 wrote to memory of 2532 1932 Ahchdb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe"C:\Users\Admin\AppData\Local\Temp\3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe34⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe35⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe37⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe38⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe42⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe43⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe44⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe45⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe47⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe49⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe50⤵PID:2688
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe52⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe53⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe54⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe57⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe58⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe60⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe63⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe64⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe65⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe67⤵PID:808
-
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe68⤵PID:2832
-
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe69⤵PID:2568
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe70⤵PID:2680
-
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe72⤵PID:1244
-
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe73⤵PID:1676
-
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe74⤵PID:2020
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe76⤵PID:2424
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe78⤵PID:2900
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe79⤵PID:2120
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe80⤵PID:2332
-
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe82⤵PID:2068
-
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe83⤵PID:2280
-
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe84⤵PID:1236
-
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe85⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe86⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe88⤵PID:2220
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe90⤵
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe91⤵PID:3056
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe93⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe95⤵PID:340
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe96⤵PID:2500
-
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe97⤵PID:2760
-
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe98⤵PID:2700
-
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe99⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe100⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe101⤵PID:1084
-
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe102⤵PID:2928
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe103⤵PID:776
-
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe104⤵PID:1876
-
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe105⤵PID:1872
-
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe107⤵PID:1188
-
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe108⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe109⤵PID:1184
-
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe110⤵PID:2744
-
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe111⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe112⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe113⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe114⤵PID:1680
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe115⤵PID:1756
-
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe116⤵PID:300
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe117⤵PID:1568
-
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe118⤵PID:880
-
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe119⤵PID:1628
-
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe120⤵PID:1064
-
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe121⤵
- Drops file in System32 directory
PID:408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-