Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 12:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0325da623cbc8ed1933f9fed4ed1a290N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
0325da623cbc8ed1933f9fed4ed1a290N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0325da623cbc8ed1933f9fed4ed1a290N.exe
-
Size
377KB
-
MD5
0325da623cbc8ed1933f9fed4ed1a290
-
SHA1
a0d28752334d9f5f64043e7cef62889824b2ed29
-
SHA256
771ea3a5dd5d00819b6b4647fb145b73ac47d66d58b2371fa752332ed6163fe9
-
SHA512
43ab266e23b05b3b51944347919f3f862dd8a8e4834c1ea36ea78438dcb5f249cc5c0c54e6450fc8da110bcca5abb806248b6b17e9373862eda7aad880d3ad3e
-
SSDEEP
3072:xUeYzhHjeHL3vNl5ecz7RAxFKUXCt8/zAIo92VGiK/zAIC588:mRdQ3vNl5fKx/SgnohignC5V
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkhnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djolbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndgmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flejbmfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbggqfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhikcpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjlbqmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnhcami.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abieajgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndoqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkigme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqgdgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngeekfka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmcdjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcciiope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aooaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncobeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbapok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbqpgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgmdbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cknkdggi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qegnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcehpbdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afebpmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfbohal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbkaeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfobed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bickkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljkqfko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohbhqjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmolll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bloidc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbqhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgjecap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbgnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pconjjql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgjoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdpka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpnkjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhipcbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfiloiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgamkdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppiqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kobhkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldbococ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inllflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjgglko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpenogee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnacjkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjemni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlodma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecejnco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqcqgc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2364 Panboflg.exe 2380 Pfkkhmjn.exe 2776 Qegnii32.exe 2264 Aeikohgk.exe 2636 Afdjmo32.exe 984 Bbpdmp32.exe 2552 Ckoblapc.exe 1400 Cpadpg32.exe 2416 Dllnphkd.exe 1324 Dkakad32.exe 2904 Eiehilaa.exe 1620 Emcqpjhh.exe 1752 Gigano32.exe 2532 Gfpkbbmo.exe 1100 Hpcbol32.exe 844 Hpfoekhm.exe 2468 Hnjonpgg.exe 1476 Ianambhc.exe 2156 Jqonjmbn.exe 2312 Jjgbbc32.exe 2100 Jimodo32.exe 2084 Kbgqbdbd.exe 2424 Kamncagl.exe 1652 Lpiqel32.exe 2852 Ldgikklb.exe 1696 Lejbhbpn.exe 2728 Mbqpgf32.exe 2736 Mhbakmgg.exe 2856 Miekhd32.exe 2584 Nmccnc32.exe 3056 Ooncljom.exe 1940 Ohfgeo32.exe 3044 Oaolne32.exe 2888 Oceaql32.exe 2912 Polbemck.exe 2432 Pemdic32.exe 1140 Pnhegi32.exe 2924 Qmmbhegc.exe 1912 Qpnkjq32.exe 2132 Ajelmiag.exe 1316 Apeakonl.exe 1944 Aeajcf32.exe 964 Anjnllbd.exe 2348 Bakgmgpe.exe 2408 Bamdcf32.exe 340 Boadlk32.exe 2036 Bhiiepcl.exe 1104 Bpdnjb32.exe 628 Bmhncg32.exe 2052 Bbegkn32.exe 1580 Colgpo32.exe 2372 Cpldjajo.exe 2816 Chghodgj.exe 2760 Cclmlm32.exe 2632 Ckgapo32.exe 3052 Coejfn32.exe 1920 Ddbbod32.exe 2276 Djahmk32.exe 2668 Dpkpie32.exe 2892 Dfhial32.exe 684 Dpnmoe32.exe 3004 Dldndf32.exe 2472 Djhnmj32.exe 2968 Efoobkej.exe -
Loads dropped DLL 64 IoCs
pid Process 2252 0325da623cbc8ed1933f9fed4ed1a290N.exe 2252 0325da623cbc8ed1933f9fed4ed1a290N.exe 2364 Panboflg.exe 2364 Panboflg.exe 2380 Pfkkhmjn.exe 2380 Pfkkhmjn.exe 2776 Qegnii32.exe 2776 Qegnii32.exe 2264 Aeikohgk.exe 2264 Aeikohgk.exe 2636 Afdjmo32.exe 2636 Afdjmo32.exe 984 Bbpdmp32.exe 984 Bbpdmp32.exe 2552 Ckoblapc.exe 2552 Ckoblapc.exe 1400 Cpadpg32.exe 1400 Cpadpg32.exe 2416 Dllnphkd.exe 2416 Dllnphkd.exe 1324 Dkakad32.exe 1324 Dkakad32.exe 2904 Eiehilaa.exe 2904 Eiehilaa.exe 1620 Emcqpjhh.exe 1620 Emcqpjhh.exe 1752 Gigano32.exe 1752 Gigano32.exe 2532 Gfpkbbmo.exe 2532 Gfpkbbmo.exe 1100 Hpcbol32.exe 1100 Hpcbol32.exe 844 Hpfoekhm.exe 844 Hpfoekhm.exe 2468 Hnjonpgg.exe 2468 Hnjonpgg.exe 1476 Ianambhc.exe 1476 Ianambhc.exe 2156 Jqonjmbn.exe 2156 Jqonjmbn.exe 2312 Jjgbbc32.exe 2312 Jjgbbc32.exe 2100 Jimodo32.exe 2100 Jimodo32.exe 2084 Kbgqbdbd.exe 2084 Kbgqbdbd.exe 2424 Kamncagl.exe 2424 Kamncagl.exe 1652 Lpiqel32.exe 1652 Lpiqel32.exe 2852 Ldgikklb.exe 2852 Ldgikklb.exe 1696 Lejbhbpn.exe 1696 Lejbhbpn.exe 2728 Mbqpgf32.exe 2728 Mbqpgf32.exe 2736 Mhbakmgg.exe 2736 Mhbakmgg.exe 2856 Miekhd32.exe 2856 Miekhd32.exe 2584 Nmccnc32.exe 2584 Nmccnc32.exe 3056 Ooncljom.exe 3056 Ooncljom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ajddik32.exe Anmcdjmn.exe File created C:\Windows\SysWOW64\Cjmcnmmc.exe Cqeoegfb.exe File created C:\Windows\SysWOW64\Ifgpaqpb.dll Dnlafm32.exe File opened for modification C:\Windows\SysWOW64\Mplchb32.exe Legoji32.exe File created C:\Windows\SysWOW64\Aahoageo.dll Lmcfeh32.exe File created C:\Windows\SysWOW64\Ppcplg32.exe Plfhfiqc.exe File created C:\Windows\SysWOW64\Godmfj32.dll Dolondiq.exe File opened for modification C:\Windows\SysWOW64\Inllflpf.exe Idcgmf32.exe File opened for modification C:\Windows\SysWOW64\Peaagl32.exe Okimnfkm.exe File created C:\Windows\SysWOW64\Pheclejl.dll Knmjol32.exe File created C:\Windows\SysWOW64\Lfpgjmlg.dll Hieojahp.exe File created C:\Windows\SysWOW64\Foaekdkd.dll Gdchifik.exe File opened for modification C:\Windows\SysWOW64\Kmbgnl32.exe Koogdg32.exe File created C:\Windows\SysWOW64\Fnqhce32.dll Mjabhjec.exe File created C:\Windows\SysWOW64\Aelnpd32.dll Jialbh32.exe File created C:\Windows\SysWOW64\Ncmhhphi.exe Nidcpk32.exe File created C:\Windows\SysWOW64\Nfbhphcp.dll Mbekmkke.exe File created C:\Windows\SysWOW64\Pnhegi32.exe Pemdic32.exe File created C:\Windows\SysWOW64\Gbhnkdde.dll Ckgkfi32.exe File created C:\Windows\SysWOW64\Fdapqgom.exe Fkfobbjo.exe File created C:\Windows\SysWOW64\Okmnol32.dll Lajgnb32.exe File created C:\Windows\SysWOW64\Olpcffde.dll Mhgeckoc.exe File created C:\Windows\SysWOW64\Fdkkjm32.dll Kbgqbdbd.exe File created C:\Windows\SysWOW64\Nkldoijk.exe Ncaokgmp.exe File created C:\Windows\SysWOW64\Mlhdbhng.exe Mglkja32.exe File created C:\Windows\SysWOW64\Mqadenpc.dll Nonfoc32.exe File created C:\Windows\SysWOW64\Eeeadefe.dll Ajeloe32.exe File created C:\Windows\SysWOW64\Pjnamk32.dll Kphmnojf.exe File created C:\Windows\SysWOW64\Eohhfn32.dll Djahmk32.exe File created C:\Windows\SysWOW64\Gapbbk32.exe Flcjjdpe.exe File created C:\Windows\SysWOW64\Ljdhfnif.dll Joajdmma.exe File created C:\Windows\SysWOW64\Pkhmce32.dll Pmqkellk.exe File opened for modification C:\Windows\SysWOW64\Epfjjnkl.exe Eeqele32.exe File created C:\Windows\SysWOW64\Bfnaaj32.dll Inmdjjok.exe File created C:\Windows\SysWOW64\Bhgibh32.dll Abqlpn32.exe File created C:\Windows\SysWOW64\Maaiimhq.dll Jficbn32.exe File created C:\Windows\SysWOW64\Ckgkfi32.exe Cpafhpaj.exe File created C:\Windows\SysWOW64\Jjjaak32.exe Jcpidagc.exe File opened for modification C:\Windows\SysWOW64\Mgnjhfbq.exe Mnefpq32.exe File created C:\Windows\SysWOW64\Feoihi32.exe Flgdod32.exe File opened for modification C:\Windows\SysWOW64\Jblmpmfe.exe Jehmgigk.exe File opened for modification C:\Windows\SysWOW64\Njlqkpol.exe Naalfnba.exe File created C:\Windows\SysWOW64\Faihflic.dll Lfoedm32.exe File created C:\Windows\SysWOW64\Lalhebof.dll Lipneh32.exe File created C:\Windows\SysWOW64\Hbicqo32.dll Bljkgf32.exe File opened for modification C:\Windows\SysWOW64\Eckbbf32.exe Djbmjq32.exe File opened for modification C:\Windows\SysWOW64\Olablfbm.exe Npjage32.exe File opened for modification C:\Windows\SysWOW64\Gniqhpgi.exe Ghlhpiia.exe File opened for modification C:\Windows\SysWOW64\Hqjijk32.exe Gcfiqgfp.exe File created C:\Windows\SysWOW64\Jmnbjpib.dll Qmkigb32.exe File created C:\Windows\SysWOW64\Oenepb32.dll Pciknh32.exe File created C:\Windows\SysWOW64\Kbllhiqe.exe Kjqgdgcj.exe File created C:\Windows\SysWOW64\Chahdpff.dll Ckoblapc.exe File created C:\Windows\SysWOW64\Jjgbbc32.exe Jqonjmbn.exe File opened for modification C:\Windows\SysWOW64\Eligoe32.exe Efoobkej.exe File created C:\Windows\SysWOW64\Ehkgnpbe.exe Dobcekld.exe File opened for modification C:\Windows\SysWOW64\Oddhho32.exe Nkldoijk.exe File opened for modification C:\Windows\SysWOW64\Dkhedlbj.exe Dqcqgc32.exe File opened for modification C:\Windows\SysWOW64\Kphmnojf.exe Kebipf32.exe File created C:\Windows\SysWOW64\Hdiepmak.dll Biegpl32.exe File opened for modification C:\Windows\SysWOW64\Kmnonqce.exe Kpjoel32.exe File opened for modification C:\Windows\SysWOW64\Kebipf32.exe Kjihpi32.exe File created C:\Windows\SysWOW64\Agpfjqlc.dll Hihlpa32.exe File created C:\Windows\SysWOW64\Nmfbohal.exe Ngljbn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3356 3496 WerFault.exe 928 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbboa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchqkedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmejemhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedjfchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elahkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmimdon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdabfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcllii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjqkhkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmnmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gakchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djbmjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgihdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehechn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmkdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndoqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejomjgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfladgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqdbapoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onognkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckalkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlemd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkofon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefmqdgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmcnmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfioha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojphmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglkja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgjecap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpninl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklhifhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnhiaof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmmejgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmecjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmplqcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefdqke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledplq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijegdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolemj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnkomel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihdblpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqhegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnnpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadnlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihjfm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjknfin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flcjjdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcppgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epigjd32.dll" Lkmpcpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanlogem.dll" Oheoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejadefg.dll" Plhfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekfnk32.dll" Dqjghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpkne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpcabef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkdiehca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbhjbd.dll" Mgnjhfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehkjm32.dll" Abmmca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeajcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ledplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndoqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamjdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edeapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnoih32.dll" Njiocobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfobed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdblcpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmiegma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocnmnfh.dll" Fnbodbaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifmqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqcpdfhi.dll" Dggbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdjkk32.dll" Cggffocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjiojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecggmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnfmpe.dll" Nnbagfdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopbeopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nioqmpcf.dll" Pdjqinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkefipmc.dll" Mglkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogckqib.dll" Ghbqhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmmca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkoqaae.dll" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehgpphi.dll" Ohglfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poocmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlibifnq.dll" Gcfiqgfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmdkqkgp.dll" Qpfojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcfgnbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalqlibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhakhdd.dll" Lnhffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbgcen32.dll" Liddljan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flgdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjmne32.dll" Dqcqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecmkme.dll" Kbllhiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmkeoekf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodbopmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmefnofj.dll" Jimodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inkgdjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledkdoii.dll" Eonhbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnllhkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bndckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcphlmdp.dll" Ifjoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpmga32.dll" Ehechn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhfhaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjepe32.dll" Lodeahen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcaib32.dll" Jjfiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klgeih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2364 2252 0325da623cbc8ed1933f9fed4ed1a290N.exe 29 PID 2252 wrote to memory of 2364 2252 0325da623cbc8ed1933f9fed4ed1a290N.exe 29 PID 2252 wrote to memory of 2364 2252 0325da623cbc8ed1933f9fed4ed1a290N.exe 29 PID 2252 wrote to memory of 2364 2252 0325da623cbc8ed1933f9fed4ed1a290N.exe 29 PID 2364 wrote to memory of 2380 2364 Panboflg.exe 30 PID 2364 wrote to memory of 2380 2364 Panboflg.exe 30 PID 2364 wrote to memory of 2380 2364 Panboflg.exe 30 PID 2364 wrote to memory of 2380 2364 Panboflg.exe 30 PID 2380 wrote to memory of 2776 2380 Pfkkhmjn.exe 31 PID 2380 wrote to memory of 2776 2380 Pfkkhmjn.exe 31 PID 2380 wrote to memory of 2776 2380 Pfkkhmjn.exe 31 PID 2380 wrote to memory of 2776 2380 Pfkkhmjn.exe 31 PID 2776 wrote to memory of 2264 2776 Qegnii32.exe 32 PID 2776 wrote to memory of 2264 2776 Qegnii32.exe 32 PID 2776 wrote to memory of 2264 2776 Qegnii32.exe 32 PID 2776 wrote to memory of 2264 2776 Qegnii32.exe 32 PID 2264 wrote to memory of 2636 2264 Aeikohgk.exe 33 PID 2264 wrote to memory of 2636 2264 Aeikohgk.exe 33 PID 2264 wrote to memory of 2636 2264 Aeikohgk.exe 33 PID 2264 wrote to memory of 2636 2264 Aeikohgk.exe 33 PID 2636 wrote to memory of 984 2636 Afdjmo32.exe 34 PID 2636 wrote to memory of 984 2636 Afdjmo32.exe 34 PID 2636 wrote to memory of 984 2636 Afdjmo32.exe 34 PID 2636 wrote to memory of 984 2636 Afdjmo32.exe 34 PID 984 wrote to memory of 2552 984 Bbpdmp32.exe 35 PID 984 wrote to memory of 2552 984 Bbpdmp32.exe 35 PID 984 wrote to memory of 2552 984 Bbpdmp32.exe 35 PID 984 wrote to memory of 2552 984 Bbpdmp32.exe 35 PID 2552 wrote to memory of 1400 2552 Ckoblapc.exe 36 PID 2552 wrote to memory of 1400 2552 Ckoblapc.exe 36 PID 2552 wrote to memory of 1400 2552 Ckoblapc.exe 36 PID 2552 wrote to memory of 1400 2552 Ckoblapc.exe 36 PID 1400 wrote to memory of 2416 1400 Cpadpg32.exe 37 PID 1400 wrote to memory of 2416 1400 Cpadpg32.exe 37 PID 1400 wrote to memory of 2416 1400 Cpadpg32.exe 37 PID 1400 wrote to memory of 2416 1400 Cpadpg32.exe 37 PID 2416 wrote to memory of 1324 2416 Dllnphkd.exe 38 PID 2416 wrote to memory of 1324 2416 Dllnphkd.exe 38 PID 2416 wrote to memory of 1324 2416 Dllnphkd.exe 38 PID 2416 wrote to memory of 1324 2416 Dllnphkd.exe 38 PID 1324 wrote to memory of 2904 1324 Dkakad32.exe 39 PID 1324 wrote to memory of 2904 1324 Dkakad32.exe 39 PID 1324 wrote to memory of 2904 1324 Dkakad32.exe 39 PID 1324 wrote to memory of 2904 1324 Dkakad32.exe 39 PID 2904 wrote to memory of 1620 2904 Eiehilaa.exe 40 PID 2904 wrote to memory of 1620 2904 Eiehilaa.exe 40 PID 2904 wrote to memory of 1620 2904 Eiehilaa.exe 40 PID 2904 wrote to memory of 1620 2904 Eiehilaa.exe 40 PID 1620 wrote to memory of 1752 1620 Emcqpjhh.exe 41 PID 1620 wrote to memory of 1752 1620 Emcqpjhh.exe 41 PID 1620 wrote to memory of 1752 1620 Emcqpjhh.exe 41 PID 1620 wrote to memory of 1752 1620 Emcqpjhh.exe 41 PID 1752 wrote to memory of 2532 1752 Gigano32.exe 42 PID 1752 wrote to memory of 2532 1752 Gigano32.exe 42 PID 1752 wrote to memory of 2532 1752 Gigano32.exe 42 PID 1752 wrote to memory of 2532 1752 Gigano32.exe 42 PID 2532 wrote to memory of 1100 2532 Gfpkbbmo.exe 43 PID 2532 wrote to memory of 1100 2532 Gfpkbbmo.exe 43 PID 2532 wrote to memory of 1100 2532 Gfpkbbmo.exe 43 PID 2532 wrote to memory of 1100 2532 Gfpkbbmo.exe 43 PID 1100 wrote to memory of 844 1100 Hpcbol32.exe 44 PID 1100 wrote to memory of 844 1100 Hpcbol32.exe 44 PID 1100 wrote to memory of 844 1100 Hpcbol32.exe 44 PID 1100 wrote to memory of 844 1100 Hpcbol32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0325da623cbc8ed1933f9fed4ed1a290N.exe"C:\Users\Admin\AppData\Local\Temp\0325da623cbc8ed1933f9fed4ed1a290N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Jjgbbc32.exeC:\Windows\system32\Jjgbbc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe33⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe34⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe35⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe36⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe38⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe41⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe42⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe44⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe45⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe47⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe48⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe49⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe50⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe51⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe53⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe54⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe55⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Coejfn32.exeC:\Windows\system32\Coejfn32.exe57⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe58⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Dpkpie32.exeC:\Windows\system32\Dpkpie32.exe60⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Dfhial32.exeC:\Windows\system32\Dfhial32.exe61⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe62⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Dldndf32.exeC:\Windows\system32\Dldndf32.exe63⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Eligoe32.exeC:\Windows\system32\Eligoe32.exe66⤵PID:776
-
C:\Windows\SysWOW64\Ekndpa32.exeC:\Windows\system32\Ekndpa32.exe67⤵PID:276
-
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe68⤵PID:1332
-
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe69⤵PID:1996
-
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe70⤵PID:2288
-
C:\Windows\SysWOW64\Fgjnpb32.exeC:\Windows\system32\Fgjnpb32.exe71⤵PID:432
-
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe72⤵PID:1496
-
C:\Windows\SysWOW64\Fimgmj32.exeC:\Windows\system32\Fimgmj32.exe73⤵PID:2500
-
C:\Windows\SysWOW64\Ffahgn32.exeC:\Windows\system32\Ffahgn32.exe74⤵PID:2388
-
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Fmnmih32.exeC:\Windows\system32\Fmnmih32.exe76⤵PID:2772
-
C:\Windows\SysWOW64\Fbjeao32.exeC:\Windows\system32\Fbjeao32.exe77⤵PID:2792
-
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe79⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Gboolneo.exeC:\Windows\system32\Gboolneo.exe80⤵PID:2648
-
C:\Windows\SysWOW64\Gdchifik.exeC:\Windows\system32\Gdchifik.exe81⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Gjmpfp32.exeC:\Windows\system32\Gjmpfp32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe83⤵PID:2244
-
C:\Windows\SysWOW64\Hmpemkkf.exeC:\Windows\system32\Hmpemkkf.exe84⤵PID:2072
-
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe85⤵PID:1756
-
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe86⤵PID:1980
-
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe87⤵PID:2488
-
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe88⤵PID:2172
-
C:\Windows\SysWOW64\Hafdbmjp.exeC:\Windows\system32\Hafdbmjp.exe89⤵PID:2060
-
C:\Windows\SysWOW64\Iomaaa32.exeC:\Windows\system32\Iomaaa32.exe90⤵PID:1960
-
C:\Windows\SysWOW64\Jpgaohej.exeC:\Windows\system32\Jpgaohej.exe91⤵PID:2548
-
C:\Windows\SysWOW64\Jlnadiko.exeC:\Windows\system32\Jlnadiko.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Jfffmo32.exeC:\Windows\system32\Jfffmo32.exe93⤵PID:1284
-
C:\Windows\SysWOW64\Jficbn32.exeC:\Windows\system32\Jficbn32.exe94⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Jbpcgo32.exeC:\Windows\system32\Jbpcgo32.exe95⤵PID:2088
-
C:\Windows\SysWOW64\Jqeqhlii.exeC:\Windows\system32\Jqeqhlii.exe96⤵PID:1160
-
C:\Windows\SysWOW64\Kdcinjpo.exeC:\Windows\system32\Kdcinjpo.exe97⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Kchfpf32.exeC:\Windows\system32\Kchfpf32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Koogdg32.exeC:\Windows\system32\Koogdg32.exe99⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Kmbgnl32.exeC:\Windows\system32\Kmbgnl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Lpcppgff.exeC:\Windows\system32\Lpcppgff.exe101⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Lepihndm.exeC:\Windows\system32\Lepihndm.exe102⤵PID:2944
-
C:\Windows\SysWOW64\Lpfmefdc.exeC:\Windows\system32\Lpfmefdc.exe103⤵PID:2440
-
C:\Windows\SysWOW64\Laifbnho.exeC:\Windows\system32\Laifbnho.exe104⤵PID:592
-
C:\Windows\SysWOW64\Lnmglbgh.exeC:\Windows\system32\Lnmglbgh.exe105⤵PID:2916
-
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe106⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Lcllii32.exeC:\Windows\system32\Lcllii32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Mmepboin.exeC:\Windows\system32\Mmepboin.exe108⤵PID:2120
-
C:\Windows\SysWOW64\Mjialchg.exeC:\Windows\system32\Mjialchg.exe109⤵PID:2192
-
C:\Windows\SysWOW64\Mpeidjfo.exeC:\Windows\system32\Mpeidjfo.exe110⤵PID:696
-
C:\Windows\SysWOW64\Mphfji32.exeC:\Windows\system32\Mphfji32.exe111⤵PID:1712
-
C:\Windows\SysWOW64\Mmlfcn32.exeC:\Windows\system32\Mmlfcn32.exe112⤵PID:1328
-
C:\Windows\SysWOW64\Mlacdj32.exeC:\Windows\system32\Mlacdj32.exe113⤵PID:1924
-
C:\Windows\SysWOW64\Neihmpon.exeC:\Windows\system32\Neihmpon.exe114⤵PID:2780
-
C:\Windows\SysWOW64\Nhjaok32.exeC:\Windows\system32\Nhjaok32.exe115⤵PID:2160
-
C:\Windows\SysWOW64\Nmgiga32.exeC:\Windows\system32\Nmgiga32.exe116⤵PID:2744
-
C:\Windows\SysWOW64\Naebmppm.exeC:\Windows\system32\Naebmppm.exe117⤵PID:2616
-
C:\Windows\SysWOW64\Npjonlee.exeC:\Windows\system32\Npjonlee.exe118⤵PID:2920
-
C:\Windows\SysWOW64\Nibcgb32.exeC:\Windows\system32\Nibcgb32.exe119⤵PID:1032
-
C:\Windows\SysWOW64\Ockhpgbf.exeC:\Windows\system32\Ockhpgbf.exe120⤵PID:1680
-
C:\Windows\SysWOW64\Ocmdeg32.exeC:\Windows\system32\Ocmdeg32.exe121⤵
- Modifies registry class
PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-