Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 14:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e18f796681386bb6f08c650f77f2cd0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
1e18f796681386bb6f08c650f77f2cd0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1e18f796681386bb6f08c650f77f2cd0N.exe
-
Size
80KB
-
MD5
1e18f796681386bb6f08c650f77f2cd0
-
SHA1
0f1935a195c6f558eada8a9f96879f8c24cf17c8
-
SHA256
e2fe1e1c5feb1eb61ea837bd8492fdf2426c49cf7082b65a13d5fc0c641c4af9
-
SHA512
57bcbfb6892857b42025fadf8934eed29aa2902d2c87be691dec6e6d21d93673825c2a99d4e3d9d5fc2950ea89b47c4bfc35b2eef8f44d8dc3f6d69e3db87ee7
-
SSDEEP
1536:R25gWcKxYMXeD6WuAYDqJdt2L6rS5DUHRbPa9b6i+sIk:R25g6YMXeeWuti+cS5DSCopsIk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iobbfggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbgbahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neekogkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cligkdlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfljmmjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plheil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieapck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljfeimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfphmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeggkoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchpjddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnpbbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkiemqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhopjqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhhjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjgmhaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcqoqeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekpmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efllcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlkekilg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpiombe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdllci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlokegib.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Bhmmcjjd.exe 2772 Bmjekahk.exe 2732 Bmlbaqfh.exe 2780 Bdfjnkne.exe 2656 Bgdfjfmi.exe 1848 Chhpgn32.exe 1732 Clfhml32.exe 2084 Cenmfbml.exe 2060 Cniajdkg.exe 2948 Chabmm32.exe 2976 Dkblohek.exe 1628 Dcmpcjcf.exe 2384 Dfniee32.exe 3056 Dofnnkfg.exe 1616 Ehaolpke.exe 628 Eomdoj32.exe 1000 Ecoihm32.exe 664 Enenef32.exe 3060 Fqffgapf.exe 1348 Fmlglb32.exe 1688 Fblljhbo.exe 748 Fiedfb32.exe 1156 Fbpfeh32.exe 872 Glijnmdj.exe 2272 Ghpkbn32.exe 2824 Gjpddigo.exe 2768 Gdihmo32.exe 2668 Gieaef32.exe 2980 Hogcil32.exe 2652 Hlmphp32.exe 2184 Hdkaabnh.exe 1044 Idmnga32.exe 2960 Inebpgbf.exe 2428 Idbgbahq.exe 1996 Ijampgde.exe 2016 Jkgbcofn.exe 568 Jflgph32.exe 432 Jkllnn32.exe 2140 Jbedkhie.exe 2208 Jjqiok32.exe 3016 Kjcedj32.exe 692 Kjebjjck.exe 1612 Kjhopjqi.exe 1796 Kkilgb32.exe 2404 Kbcddlnd.exe 560 Keappgmg.exe 2476 Knjdimdh.exe 2408 Lgbibb32.exe 1180 Lnlaomae.exe 2228 Llpaha32.exe 2840 Lamjph32.exe 2744 Lggbmbfc.exe 2988 Lmckeidj.exe 2676 Lncgollm.exe 2924 Laackgka.exe 2212 Ladpagin.exe 3004 Mbemho32.exe 2944 Mlmaad32.exe 264 Mfceom32.exe 2328 Mlpngd32.exe 1936 Mbjfcnkg.exe 2112 Mhfoleio.exe 900 Mpngmb32.exe 280 Maocekoo.exe -
Loads dropped DLL 64 IoCs
pid Process 2808 1e18f796681386bb6f08c650f77f2cd0N.exe 2808 1e18f796681386bb6f08c650f77f2cd0N.exe 2756 Bhmmcjjd.exe 2756 Bhmmcjjd.exe 2772 Bmjekahk.exe 2772 Bmjekahk.exe 2732 Bmlbaqfh.exe 2732 Bmlbaqfh.exe 2780 Bdfjnkne.exe 2780 Bdfjnkne.exe 2656 Bgdfjfmi.exe 2656 Bgdfjfmi.exe 1848 Chhpgn32.exe 1848 Chhpgn32.exe 1732 Clfhml32.exe 1732 Clfhml32.exe 2084 Cenmfbml.exe 2084 Cenmfbml.exe 2060 Cniajdkg.exe 2060 Cniajdkg.exe 2948 Chabmm32.exe 2948 Chabmm32.exe 2976 Dkblohek.exe 2976 Dkblohek.exe 1628 Dcmpcjcf.exe 1628 Dcmpcjcf.exe 2384 Dfniee32.exe 2384 Dfniee32.exe 3056 Dofnnkfg.exe 3056 Dofnnkfg.exe 1616 Ehaolpke.exe 1616 Ehaolpke.exe 628 Eomdoj32.exe 628 Eomdoj32.exe 1000 Ecoihm32.exe 1000 Ecoihm32.exe 664 Enenef32.exe 664 Enenef32.exe 3060 Fqffgapf.exe 3060 Fqffgapf.exe 1348 Fmlglb32.exe 1348 Fmlglb32.exe 1688 Fblljhbo.exe 1688 Fblljhbo.exe 748 Fiedfb32.exe 748 Fiedfb32.exe 1156 Fbpfeh32.exe 1156 Fbpfeh32.exe 872 Glijnmdj.exe 872 Glijnmdj.exe 2272 Ghpkbn32.exe 2272 Ghpkbn32.exe 2824 Gjpddigo.exe 2824 Gjpddigo.exe 2768 Gdihmo32.exe 2768 Gdihmo32.exe 2668 Gieaef32.exe 2668 Gieaef32.exe 2980 Hogcil32.exe 2980 Hogcil32.exe 2652 Hlmphp32.exe 2652 Hlmphp32.exe 2184 Hdkaabnh.exe 2184 Hdkaabnh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oeeeeehe.exe Oindpd32.exe File created C:\Windows\SysWOW64\Iklchphj.dll Fnnpma32.exe File opened for modification C:\Windows\SysWOW64\Hliieioi.exe Haohel32.exe File created C:\Windows\SysWOW64\Glbcpokl.exe Ggekhhle.exe File created C:\Windows\SysWOW64\Injnfl32.exe Process not Found File created C:\Windows\SysWOW64\Bimdka32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdgefn32.exe Fnmmidhm.exe File opened for modification C:\Windows\SysWOW64\Dcblgbfe.exe Dijgnm32.exe File created C:\Windows\SysWOW64\Dnmhogjo.exe Deedfacn.exe File created C:\Windows\SysWOW64\Eplmflde.exe Ejadibmh.exe File created C:\Windows\SysWOW64\Bhfhnofg.exe Bnqcaffa.exe File created C:\Windows\SysWOW64\Oghfnq32.dll Obbonk32.exe File created C:\Windows\SysWOW64\Hlmpjl32.exe Hincna32.exe File created C:\Windows\SysWOW64\Lemlao32.dll Process not Found File created C:\Windows\SysWOW64\Mclghl32.exe Process not Found File created C:\Windows\SysWOW64\Gdihmo32.exe Gjpddigo.exe File created C:\Windows\SysWOW64\Jocfacia.dll Acggbffj.exe File opened for modification C:\Windows\SysWOW64\Ibeeeijg.exe Iodlcnmf.exe File opened for modification C:\Windows\SysWOW64\Jnjjcbiq.exe Jnhnmckc.exe File created C:\Windows\SysWOW64\Niilofhh.exe Process not Found File created C:\Windows\SysWOW64\Kppohf32.exe Kifgllbc.exe File created C:\Windows\SysWOW64\Cofdbh32.dll Bdehgnqc.exe File opened for modification C:\Windows\SysWOW64\Fmknko32.exe Fbeimf32.exe File created C:\Windows\SysWOW64\Onpoob32.dll Gddbfm32.exe File created C:\Windows\SysWOW64\Geehcoaf.exe Gbglgcbc.exe File created C:\Windows\SysWOW64\Ihhpdnkl.dll Ieppjclf.exe File created C:\Windows\SysWOW64\Nemfepee.dll Bpkqfdmp.exe File created C:\Windows\SysWOW64\Dicann32.exe Dhaefepn.exe File created C:\Windows\SysWOW64\Qgqlig32.exe Process not Found File created C:\Windows\SysWOW64\Mgnmao32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Omddmkhl.exe Oenmkngi.exe File created C:\Windows\SysWOW64\Noojfpbi.exe Ngcebnen.exe File created C:\Windows\SysWOW64\Fjnkac32.exe Filnjk32.exe File created C:\Windows\SysWOW64\Kknkncbl.exe Process not Found File created C:\Windows\SysWOW64\Kgqlke32.dll Ecobmg32.exe File opened for modification C:\Windows\SysWOW64\Jjjdjp32.exe Jdplmflg.exe File created C:\Windows\SysWOW64\Jceahq32.dll Nqgngk32.exe File created C:\Windows\SysWOW64\Jnlhbb32.exe Jgbpfhpc.exe File created C:\Windows\SysWOW64\Ddjkhl32.exe Process not Found File created C:\Windows\SysWOW64\Bdpgbajd.dll Fhcjilcb.exe File opened for modification C:\Windows\SysWOW64\Khhndi32.exe Kopikdgn.exe File created C:\Windows\SysWOW64\Mkdknm32.dll Chickknc.exe File opened for modification C:\Windows\SysWOW64\Eqnillbb.exe Efhenccl.exe File created C:\Windows\SysWOW64\Oohokele.dll Chccfe32.exe File created C:\Windows\SysWOW64\Liqkincl.dll Process not Found File created C:\Windows\SysWOW64\Gmkjjbhg.exe Gdbeqmag.exe File opened for modification C:\Windows\SysWOW64\Nlnqeeeh.exe Ncellpog.exe File opened for modification C:\Windows\SysWOW64\Idlgohcl.exe Process not Found File created C:\Windows\SysWOW64\Ccdnipal.exe Cafbmdbh.exe File opened for modification C:\Windows\SysWOW64\Ahpdficc.exe Aeokdn32.exe File created C:\Windows\SysWOW64\Bigmoadp.dll Eckcak32.exe File created C:\Windows\SysWOW64\Dddodd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dgphpi32.exe Process not Found File created C:\Windows\SysWOW64\Lkiadddj.dll Process not Found File created C:\Windows\SysWOW64\Migdig32.exe Mhfhaoec.exe File created C:\Windows\SysWOW64\Cjiiim32.exe Cnbhcl32.exe File opened for modification C:\Windows\SysWOW64\Jjefmc32.exe Jmaedolh.exe File created C:\Windows\SysWOW64\Hljegpof.dll Process not Found File created C:\Windows\SysWOW64\Efmoib32.exe Ecobmg32.exe File created C:\Windows\SysWOW64\Aoilcc32.exe Ahpdficc.exe File created C:\Windows\SysWOW64\Hmkjkp32.dll Process not Found File created C:\Windows\SysWOW64\Inebpgbf.exe Idmnga32.exe File created C:\Windows\SysWOW64\Ebhlmlhl.exe Process not Found File created C:\Windows\SysWOW64\Cddgbp32.dll Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimfcedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhopgkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcgmpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqmkflcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdmee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhggdcgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahinb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjinaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehconob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emadjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caccnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deljfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbilmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojoalda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifgpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbcnajn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnhcdkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcblgbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkmln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlaomae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpagin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deedfacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckcak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogiha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppnia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hincna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpglhpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbemho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckabkdol.dll" Dekeeonn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pniohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkegdfnd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll" Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihgadhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpbobba.dll" Afdjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggbjggc.dll" Okijhmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnlbnagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfpjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnjmd32.dll" Acjdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kanhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eedijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bboahbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfhfkhm.dll" Majcoepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eopcmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiihgc32.dll" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefcdgnb.dll" Njmejaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlfjjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmnqggl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnnjcee.dll" Haqbcoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgeifgn.dll" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nokdnail.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abgeiaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealbcngg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhich32.dll" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckldighd.dll" Oeeeeehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlojh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmlppdo.dll" Mnqdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkeofnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgoikhhk.dll" Apbblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgdpknp.dll" Npdlpnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnoof32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clcjjimp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpgieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmhbloc.dll" Cafbmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaodhk32.dll" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklfde32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjcgmjl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfachoeo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhhabcc.dll" Lamjph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkaef32.dll" Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqgkjc32.dll" Adfbbabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apepdbkl.dll" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggkdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcljlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddfjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepapf32.dll" Nepkia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2756 2808 1e18f796681386bb6f08c650f77f2cd0N.exe 30 PID 2808 wrote to memory of 2756 2808 1e18f796681386bb6f08c650f77f2cd0N.exe 30 PID 2808 wrote to memory of 2756 2808 1e18f796681386bb6f08c650f77f2cd0N.exe 30 PID 2808 wrote to memory of 2756 2808 1e18f796681386bb6f08c650f77f2cd0N.exe 30 PID 2756 wrote to memory of 2772 2756 Bhmmcjjd.exe 31 PID 2756 wrote to memory of 2772 2756 Bhmmcjjd.exe 31 PID 2756 wrote to memory of 2772 2756 Bhmmcjjd.exe 31 PID 2756 wrote to memory of 2772 2756 Bhmmcjjd.exe 31 PID 2772 wrote to memory of 2732 2772 Bmjekahk.exe 32 PID 2772 wrote to memory of 2732 2772 Bmjekahk.exe 32 PID 2772 wrote to memory of 2732 2772 Bmjekahk.exe 32 PID 2772 wrote to memory of 2732 2772 Bmjekahk.exe 32 PID 2732 wrote to memory of 2780 2732 Bmlbaqfh.exe 33 PID 2732 wrote to memory of 2780 2732 Bmlbaqfh.exe 33 PID 2732 wrote to memory of 2780 2732 Bmlbaqfh.exe 33 PID 2732 wrote to memory of 2780 2732 Bmlbaqfh.exe 33 PID 2780 wrote to memory of 2656 2780 Bdfjnkne.exe 34 PID 2780 wrote to memory of 2656 2780 Bdfjnkne.exe 34 PID 2780 wrote to memory of 2656 2780 Bdfjnkne.exe 34 PID 2780 wrote to memory of 2656 2780 Bdfjnkne.exe 34 PID 2656 wrote to memory of 1848 2656 Bgdfjfmi.exe 35 PID 2656 wrote to memory of 1848 2656 Bgdfjfmi.exe 35 PID 2656 wrote to memory of 1848 2656 Bgdfjfmi.exe 35 PID 2656 wrote to memory of 1848 2656 Bgdfjfmi.exe 35 PID 1848 wrote to memory of 1732 1848 Chhpgn32.exe 36 PID 1848 wrote to memory of 1732 1848 Chhpgn32.exe 36 PID 1848 wrote to memory of 1732 1848 Chhpgn32.exe 36 PID 1848 wrote to memory of 1732 1848 Chhpgn32.exe 36 PID 1732 wrote to memory of 2084 1732 Clfhml32.exe 37 PID 1732 wrote to memory of 2084 1732 Clfhml32.exe 37 PID 1732 wrote to memory of 2084 1732 Clfhml32.exe 37 PID 1732 wrote to memory of 2084 1732 Clfhml32.exe 37 PID 2084 wrote to memory of 2060 2084 Cenmfbml.exe 38 PID 2084 wrote to memory of 2060 2084 Cenmfbml.exe 38 PID 2084 wrote to memory of 2060 2084 Cenmfbml.exe 38 PID 2084 wrote to memory of 2060 2084 Cenmfbml.exe 38 PID 2060 wrote to memory of 2948 2060 Cniajdkg.exe 39 PID 2060 wrote to memory of 2948 2060 Cniajdkg.exe 39 PID 2060 wrote to memory of 2948 2060 Cniajdkg.exe 39 PID 2060 wrote to memory of 2948 2060 Cniajdkg.exe 39 PID 2948 wrote to memory of 2976 2948 Chabmm32.exe 40 PID 2948 wrote to memory of 2976 2948 Chabmm32.exe 40 PID 2948 wrote to memory of 2976 2948 Chabmm32.exe 40 PID 2948 wrote to memory of 2976 2948 Chabmm32.exe 40 PID 2976 wrote to memory of 1628 2976 Dkblohek.exe 41 PID 2976 wrote to memory of 1628 2976 Dkblohek.exe 41 PID 2976 wrote to memory of 1628 2976 Dkblohek.exe 41 PID 2976 wrote to memory of 1628 2976 Dkblohek.exe 41 PID 1628 wrote to memory of 2384 1628 Dcmpcjcf.exe 42 PID 1628 wrote to memory of 2384 1628 Dcmpcjcf.exe 42 PID 1628 wrote to memory of 2384 1628 Dcmpcjcf.exe 42 PID 1628 wrote to memory of 2384 1628 Dcmpcjcf.exe 42 PID 2384 wrote to memory of 3056 2384 Dfniee32.exe 43 PID 2384 wrote to memory of 3056 2384 Dfniee32.exe 43 PID 2384 wrote to memory of 3056 2384 Dfniee32.exe 43 PID 2384 wrote to memory of 3056 2384 Dfniee32.exe 43 PID 3056 wrote to memory of 1616 3056 Dofnnkfg.exe 44 PID 3056 wrote to memory of 1616 3056 Dofnnkfg.exe 44 PID 3056 wrote to memory of 1616 3056 Dofnnkfg.exe 44 PID 3056 wrote to memory of 1616 3056 Dofnnkfg.exe 44 PID 1616 wrote to memory of 628 1616 Ehaolpke.exe 45 PID 1616 wrote to memory of 628 1616 Ehaolpke.exe 45 PID 1616 wrote to memory of 628 1616 Ehaolpke.exe 45 PID 1616 wrote to memory of 628 1616 Ehaolpke.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e18f796681386bb6f08c650f77f2cd0N.exe"C:\Users\Admin\AppData\Local\Temp\1e18f796681386bb6f08c650f77f2cd0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bgdfjfmi.exeC:\Windows\system32\Bgdfjfmi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe36⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Jflgph32.exeC:\Windows\system32\Jflgph32.exe38⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe39⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Jbedkhie.exeC:\Windows\system32\Jbedkhie.exe40⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe41⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe42⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe43⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Kkilgb32.exeC:\Windows\system32\Kkilgb32.exe45⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Keappgmg.exeC:\Windows\system32\Keappgmg.exe47⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Knjdimdh.exeC:\Windows\system32\Knjdimdh.exe48⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Lgbibb32.exeC:\Windows\system32\Lgbibb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe51⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lamjph32.exeC:\Windows\system32\Lamjph32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe54⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Lncgollm.exeC:\Windows\system32\Lncgollm.exe55⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe56⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Mbemho32.exeC:\Windows\system32\Mbemho32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe59⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mfceom32.exeC:\Windows\system32\Mfceom32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Mlpngd32.exeC:\Windows\system32\Mlpngd32.exe61⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe62⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe63⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Mpngmb32.exeC:\Windows\system32\Mpngmb32.exe64⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe65⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe66⤵PID:1528
-
C:\Windows\SysWOW64\Maapjjml.exeC:\Windows\system32\Maapjjml.exe67⤵PID:2284
-
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe68⤵PID:1552
-
C:\Windows\SysWOW64\Neohqicc.exeC:\Windows\system32\Neohqicc.exe69⤵PID:2880
-
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe70⤵PID:3028
-
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe71⤵PID:1608
-
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe73⤵PID:2692
-
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe74⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe75⤵PID:2044
-
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe76⤵PID:2200
-
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe77⤵PID:1516
-
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe78⤵PID:2892
-
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe79⤵PID:2684
-
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe80⤵PID:2324
-
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe81⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe82⤵PID:1988
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe84⤵PID:600
-
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe85⤵PID:1908
-
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe86⤵PID:2696
-
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe87⤵PID:2280
-
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe89⤵PID:1704
-
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe90⤵PID:2648
-
C:\Windows\SysWOW64\Pcqebd32.exeC:\Windows\system32\Pcqebd32.exe91⤵PID:2844
-
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe92⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Pqdelh32.exeC:\Windows\system32\Pqdelh32.exe93⤵PID:2928
-
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe94⤵PID:304
-
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe95⤵PID:2248
-
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe96⤵PID:1404
-
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe97⤵PID:2432
-
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe98⤵PID:1768
-
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe99⤵PID:1152
-
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe100⤵PID:572
-
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe101⤵PID:2176
-
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe102⤵PID:2896
-
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe103⤵PID:2276
-
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe104⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Abaaoodq.exeC:\Windows\system32\Abaaoodq.exe105⤵PID:1092
-
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe106⤵PID:2308
-
C:\Windows\SysWOW64\Agnjge32.exeC:\Windows\system32\Agnjge32.exe107⤵PID:2040
-
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe108⤵PID:2108
-
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe109⤵PID:964
-
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe111⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe112⤵PID:1708
-
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe113⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe114⤵PID:2620
-
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe115⤵PID:2628
-
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe116⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Bmdefk32.exeC:\Windows\system32\Bmdefk32.exe117⤵PID:2956
-
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe118⤵PID:2416
-
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe119⤵PID:2136
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe120⤵PID:820
-
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe121⤵PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-