Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 16:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6f92f1f118f8074977eab175fe211f0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b6f92f1f118f8074977eab175fe211f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b6f92f1f118f8074977eab175fe211f0N.exe
-
Size
256KB
-
MD5
b6f92f1f118f8074977eab175fe211f0
-
SHA1
d96c5f78c7eb3117eead8d70e19a574dd323b6ed
-
SHA256
e598392e60dcee0ed18da2b3ff14ff3000959d5f24e52fbf554e8e48b66cada9
-
SHA512
331a2cf3c606a9880b8331f4d8958a13655e28033ec211813e3b6c080022744f0517016a82a4cf7046fc69e34426217a92bff7e083769c35d7c8976f7bc72b8c
-
SSDEEP
6144:Ww8FL9yOm8HrtNxunXe8yhrtMsQBvli+RQFdp:WwYLm2ZvAO8qRMsrOQFn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gilhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqhadmhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okolfkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phelnhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kopikdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Papank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gggclfkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefchacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkfeec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckbkfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldkeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekbjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmkpnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbenc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihgpkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlcceboa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnipgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnknqpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlabjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbgon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obamebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppbkoabf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeiobgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifiilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlqemal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Denglpkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfkheap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beplcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opfdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndjhpcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpfpmonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mojaceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deikhhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifiilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcnfjpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgomoboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfajhblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cipnng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beplcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnbelong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Difplf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1936 Lmqgec32.exe 2916 Lighjd32.exe 2816 Mlmjgnaa.exe 2876 Mpoppadq.exe 2808 Mpalfabn.exe 2720 Nfmahkhh.exe 1304 Naionh32.exe 2124 Ndjhpcoe.exe 2936 Ngkaaolf.exe 3040 Ollcee32.exe 2736 Oegdcj32.exe 1676 Peiaij32.exe 1756 Papank32.exe 2128 Paekijkb.exe 1816 Pjblcl32.exe 1204 Abbjbnoq.exe 2440 Aoihaa32.exe 2520 Agdlfd32.exe 1376 Bghfacem.exe 1984 Bfncbp32.exe 2040 Bpfgke32.exe 1056 Bbgplq32.exe 924 Blodefdg.exe 1548 Dggbgadf.exe 1764 Dijgnm32.exe 2956 Eajennij.exe 2800 Ekbjgd32.exe 2940 Edmkei32.exe 2872 Fjlqcppm.exe 2336 Fmofjj32.exe 2684 Fkgpaf32.exe 2744 Ggnqfgce.exe 1652 Gqhadmhc.exe 1988 Gjqfmb32.exe 3008 Gggclfkj.exe 1728 Hflpmb32.exe 2644 Hfajhblm.exe 332 Hnlnmd32.exe 2120 Ihgpkinf.exe 2400 Imfeip32.exe 1072 Ibejfffo.exe 2500 Iefchacp.exe 2060 Jgeobdkc.exe 2140 Jpndkj32.exe 1992 Jejlca32.exe 1680 Jocalffk.exe 1316 Jkjaaglp.exe 2560 Jdbfjm32.exe 884 Jogjgf32.exe 1560 Jhpopk32.exe 2104 Kgelahmn.exe 2832 Kpmpjm32.exe 2856 Kppmpmal.exe 2680 Kgjelg32.exe 1348 Kbcfme32.exe 3036 Kogffida.exe 3028 Lkngkj32.exe 1572 Lhbhdnio.exe 2108 Lqmliqfj.exe 1976 Lggdfk32.exe 1628 Ldkeoo32.exe 1468 Lmfjcajl.exe 2156 Nlgfqldf.exe 1636 Nbaomf32.exe -
Loads dropped DLL 64 IoCs
pid Process 1848 b6f92f1f118f8074977eab175fe211f0N.exe 1848 b6f92f1f118f8074977eab175fe211f0N.exe 1936 Lmqgec32.exe 1936 Lmqgec32.exe 2916 Lighjd32.exe 2916 Lighjd32.exe 2816 Mlmjgnaa.exe 2816 Mlmjgnaa.exe 2876 Mpoppadq.exe 2876 Mpoppadq.exe 2808 Mpalfabn.exe 2808 Mpalfabn.exe 2720 Nfmahkhh.exe 2720 Nfmahkhh.exe 1304 Naionh32.exe 1304 Naionh32.exe 2124 Ndjhpcoe.exe 2124 Ndjhpcoe.exe 2936 Ngkaaolf.exe 2936 Ngkaaolf.exe 3040 Ollcee32.exe 3040 Ollcee32.exe 2736 Oegdcj32.exe 2736 Oegdcj32.exe 1676 Peiaij32.exe 1676 Peiaij32.exe 1756 Papank32.exe 1756 Papank32.exe 2128 Paekijkb.exe 2128 Paekijkb.exe 1816 Pjblcl32.exe 1816 Pjblcl32.exe 1204 Abbjbnoq.exe 1204 Abbjbnoq.exe 2440 Aoihaa32.exe 2440 Aoihaa32.exe 2520 Agdlfd32.exe 2520 Agdlfd32.exe 1376 Bghfacem.exe 1376 Bghfacem.exe 1984 Bfncbp32.exe 1984 Bfncbp32.exe 2040 Bpfgke32.exe 2040 Bpfgke32.exe 1056 Bbgplq32.exe 1056 Bbgplq32.exe 924 Blodefdg.exe 924 Blodefdg.exe 1548 Dggbgadf.exe 1548 Dggbgadf.exe 1764 Dijgnm32.exe 1764 Dijgnm32.exe 2956 Eajennij.exe 2956 Eajennij.exe 2800 Ekbjgd32.exe 2800 Ekbjgd32.exe 2940 Edmkei32.exe 2940 Edmkei32.exe 2872 Fjlqcppm.exe 2872 Fjlqcppm.exe 2336 Fmofjj32.exe 2336 Fmofjj32.exe 2684 Fkgpaf32.exe 2684 Fkgpaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apdminod.exe Alfdcp32.exe File created C:\Windows\SysWOW64\Acloba32.dll Dpbenpqh.exe File created C:\Windows\SysWOW64\Ndhfppje.dll Ekeiel32.exe File created C:\Windows\SysWOW64\Jhjillah.dll Jocceo32.exe File created C:\Windows\SysWOW64\Dpeack32.dll Nfhpjaba.exe File created C:\Windows\SysWOW64\Okmkebdg.dll Eaegaaah.exe File opened for modification C:\Windows\SysWOW64\Gggclfkj.exe Gjqfmb32.exe File opened for modification C:\Windows\SysWOW64\Bnhjae32.exe Bmhmgbif.exe File created C:\Windows\SysWOW64\Hhhblgim.exe Gmbagf32.exe File opened for modification C:\Windows\SysWOW64\Mfoqephq.exe Ljhppo32.exe File created C:\Windows\SysWOW64\Ibejfffo.exe Imfeip32.exe File created C:\Windows\SysWOW64\Hchpjddc.exe Hcfceeff.exe File opened for modification C:\Windows\SysWOW64\Nlabjj32.exe Nloedjin.exe File created C:\Windows\SysWOW64\Fbofhpaj.dll Mpalfabn.exe File created C:\Windows\SysWOW64\Lckbkfbb.exe Lomidgkl.exe File opened for modification C:\Windows\SysWOW64\Dgbgon32.exe Cnjbfhqa.exe File created C:\Windows\SysWOW64\Eehkmm32.dll Mjofanld.exe File opened for modification C:\Windows\SysWOW64\Qhehmkqn.exe Qomcdf32.exe File opened for modification C:\Windows\SysWOW64\Bocfch32.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Cmmfab32.dll Bgcdcjpf.exe File opened for modification C:\Windows\SysWOW64\Dlfbck32.exe Djffihmp.exe File opened for modification C:\Windows\SysWOW64\Iqmcmaja.exe Homfboco.exe File created C:\Windows\SysWOW64\Kaadjh32.dll Hfajhblm.exe File opened for modification C:\Windows\SysWOW64\Jogjgf32.exe Jdbfjm32.exe File created C:\Windows\SysWOW64\Okefloqc.dll Cinahhff.exe File opened for modification C:\Windows\SysWOW64\Apdminod.exe Alfdcp32.exe File opened for modification C:\Windows\SysWOW64\Fehmlh32.exe Fgcpkldh.exe File created C:\Windows\SysWOW64\Bmhmgbif.exe Bbolge32.exe File created C:\Windows\SysWOW64\Okolfkjg.exe Oohlaj32.exe File opened for modification C:\Windows\SysWOW64\Ehjqif32.exe Eibgbj32.exe File created C:\Windows\SysWOW64\Ljhppo32.exe Lamkllea.exe File opened for modification C:\Windows\SysWOW64\Ngoinfao.exe Nkhhie32.exe File created C:\Windows\SysWOW64\Ahlodfln.dll Biikne32.exe File created C:\Windows\SysWOW64\Apjpglfn.exe Akmgoehg.exe File opened for modification C:\Windows\SysWOW64\Qlbnja32.exe Qcjjakip.exe File created C:\Windows\SysWOW64\Bebiifka.exe Beplcfmd.exe File created C:\Windows\SysWOW64\Ghqchi32.exe Gbfklolh.exe File created C:\Windows\SysWOW64\Jffhec32.exe Ilmgef32.exe File created C:\Windows\SysWOW64\Pmpnci32.dll Nijcgp32.exe File created C:\Windows\SysWOW64\Kddifg32.dll Hnjdpm32.exe File created C:\Windows\SysWOW64\Ldnakeah.dll Jehbfjia.exe File created C:\Windows\SysWOW64\Fobccb32.dll Pfaopc32.exe File opened for modification C:\Windows\SysWOW64\Lobbpg32.exe Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Oicbma32.exe Omlahqeo.exe File created C:\Windows\SysWOW64\Kimhhpgd.dll Cfekkgla.exe File created C:\Windows\SysWOW64\Ihgpkinf.exe Hnlnmd32.exe File created C:\Windows\SysWOW64\Nolgkp32.dll Nljcflbd.exe File created C:\Windows\SysWOW64\Dplbpaim.exe Dpjfjalp.exe File created C:\Windows\SysWOW64\Hcqcoo32.exe Hcnfjpib.exe File opened for modification C:\Windows\SysWOW64\Mgomoboc.exe Mfoqephq.exe File opened for modification C:\Windows\SysWOW64\Jdbfjm32.exe Jkjaaglp.exe File created C:\Windows\SysWOW64\Kgknpfdi.exe Kopikdgn.exe File opened for modification C:\Windows\SysWOW64\Mkconepp.exe Moloidjl.exe File created C:\Windows\SysWOW64\Ohqbbi32.exe Opennf32.exe File opened for modification C:\Windows\SysWOW64\Nbbhpegc.exe Nijcgp32.exe File opened for modification C:\Windows\SysWOW64\Ahoamplo.exe Apdminod.exe File created C:\Windows\SysWOW64\Qlooenoo.dll Bbgplq32.exe File created C:\Windows\SysWOW64\Hehgjl32.dll Gqhadmhc.exe File opened for modification C:\Windows\SysWOW64\Abachg32.exe Afkccffq.exe File created C:\Windows\SysWOW64\Gppnejgk.dll Afkccffq.exe File opened for modification C:\Windows\SysWOW64\Dabicikf.exe Dhjdjc32.exe File created C:\Windows\SysWOW64\Kpeonkig.exe Kgmkef32.exe File created C:\Windows\SysWOW64\Emqaaabg.exe Effidg32.exe File created C:\Windows\SysWOW64\Noddcolo.dll Boqgep32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2524 3904 WerFault.exe 351 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anngkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnecjgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggdfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlialfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhkhnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkknm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeobdkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbcfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlabjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekeiel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocalffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfceeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoinfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejfffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjelg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmijgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlhfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiinmnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmcni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kogffida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgfko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcnfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polakmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhpcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkheap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beplcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbdjhnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnomkloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmcmaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjblcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajennij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpemob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfjalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhkkjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papank32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbckagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jogjgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppmpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmliqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagfffbo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depojmnb.dll" Mbmgkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oclpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngkaaolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gggclfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjmdg32.dll" Ceioieei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hchpjddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpbiolnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmcblai.dll" Ampncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddggblin.dll" Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lklmoccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll" Nnknqpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Papank32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmofjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfngbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameodaja.dll" Jpcfih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlabjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adffdidl.dll" Cegbce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpmge32.dll" Bfncbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihgpkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einmnkgf.dll" Beplcfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emkfmioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncejcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eaegaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpfgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjlqcppm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfbckagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfncbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kennjb32.dll" Bhfhnofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dabicikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mheohk32.dll" Jffhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnhce32.dll" Ihlbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkngkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njopgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlbnja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfahjk32.dll" Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbcbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdqfnhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndjhpcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphqlc32.dll" Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbicp32.dll" Jjjdjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmbcq32.dll" Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjoaod.dll" Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anggfg32.dll" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmmmb32.dll" Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmbgbpa.dll" Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcknjidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feiefo32.dll" Ncejcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1936 1848 b6f92f1f118f8074977eab175fe211f0N.exe 30 PID 1848 wrote to memory of 1936 1848 b6f92f1f118f8074977eab175fe211f0N.exe 30 PID 1848 wrote to memory of 1936 1848 b6f92f1f118f8074977eab175fe211f0N.exe 30 PID 1848 wrote to memory of 1936 1848 b6f92f1f118f8074977eab175fe211f0N.exe 30 PID 1936 wrote to memory of 2916 1936 Lmqgec32.exe 31 PID 1936 wrote to memory of 2916 1936 Lmqgec32.exe 31 PID 1936 wrote to memory of 2916 1936 Lmqgec32.exe 31 PID 1936 wrote to memory of 2916 1936 Lmqgec32.exe 31 PID 2916 wrote to memory of 2816 2916 Lighjd32.exe 32 PID 2916 wrote to memory of 2816 2916 Lighjd32.exe 32 PID 2916 wrote to memory of 2816 2916 Lighjd32.exe 32 PID 2916 wrote to memory of 2816 2916 Lighjd32.exe 32 PID 2816 wrote to memory of 2876 2816 Mlmjgnaa.exe 33 PID 2816 wrote to memory of 2876 2816 Mlmjgnaa.exe 33 PID 2816 wrote to memory of 2876 2816 Mlmjgnaa.exe 33 PID 2816 wrote to memory of 2876 2816 Mlmjgnaa.exe 33 PID 2876 wrote to memory of 2808 2876 Mpoppadq.exe 34 PID 2876 wrote to memory of 2808 2876 Mpoppadq.exe 34 PID 2876 wrote to memory of 2808 2876 Mpoppadq.exe 34 PID 2876 wrote to memory of 2808 2876 Mpoppadq.exe 34 PID 2808 wrote to memory of 2720 2808 Mpalfabn.exe 35 PID 2808 wrote to memory of 2720 2808 Mpalfabn.exe 35 PID 2808 wrote to memory of 2720 2808 Mpalfabn.exe 35 PID 2808 wrote to memory of 2720 2808 Mpalfabn.exe 35 PID 2720 wrote to memory of 1304 2720 Nfmahkhh.exe 36 PID 2720 wrote to memory of 1304 2720 Nfmahkhh.exe 36 PID 2720 wrote to memory of 1304 2720 Nfmahkhh.exe 36 PID 2720 wrote to memory of 1304 2720 Nfmahkhh.exe 36 PID 1304 wrote to memory of 2124 1304 Naionh32.exe 37 PID 1304 wrote to memory of 2124 1304 Naionh32.exe 37 PID 1304 wrote to memory of 2124 1304 Naionh32.exe 37 PID 1304 wrote to memory of 2124 1304 Naionh32.exe 37 PID 2124 wrote to memory of 2936 2124 Ndjhpcoe.exe 38 PID 2124 wrote to memory of 2936 2124 Ndjhpcoe.exe 38 PID 2124 wrote to memory of 2936 2124 Ndjhpcoe.exe 38 PID 2124 wrote to memory of 2936 2124 Ndjhpcoe.exe 38 PID 2936 wrote to memory of 3040 2936 Ngkaaolf.exe 39 PID 2936 wrote to memory of 3040 2936 Ngkaaolf.exe 39 PID 2936 wrote to memory of 3040 2936 Ngkaaolf.exe 39 PID 2936 wrote to memory of 3040 2936 Ngkaaolf.exe 39 PID 3040 wrote to memory of 2736 3040 Ollcee32.exe 40 PID 3040 wrote to memory of 2736 3040 Ollcee32.exe 40 PID 3040 wrote to memory of 2736 3040 Ollcee32.exe 40 PID 3040 wrote to memory of 2736 3040 Ollcee32.exe 40 PID 2736 wrote to memory of 1676 2736 Oegdcj32.exe 41 PID 2736 wrote to memory of 1676 2736 Oegdcj32.exe 41 PID 2736 wrote to memory of 1676 2736 Oegdcj32.exe 41 PID 2736 wrote to memory of 1676 2736 Oegdcj32.exe 41 PID 1676 wrote to memory of 1756 1676 Peiaij32.exe 42 PID 1676 wrote to memory of 1756 1676 Peiaij32.exe 42 PID 1676 wrote to memory of 1756 1676 Peiaij32.exe 42 PID 1676 wrote to memory of 1756 1676 Peiaij32.exe 42 PID 1756 wrote to memory of 2128 1756 Papank32.exe 43 PID 1756 wrote to memory of 2128 1756 Papank32.exe 43 PID 1756 wrote to memory of 2128 1756 Papank32.exe 43 PID 1756 wrote to memory of 2128 1756 Papank32.exe 43 PID 2128 wrote to memory of 1816 2128 Paekijkb.exe 44 PID 2128 wrote to memory of 1816 2128 Paekijkb.exe 44 PID 2128 wrote to memory of 1816 2128 Paekijkb.exe 44 PID 2128 wrote to memory of 1816 2128 Paekijkb.exe 44 PID 1816 wrote to memory of 1204 1816 Pjblcl32.exe 45 PID 1816 wrote to memory of 1204 1816 Pjblcl32.exe 45 PID 1816 wrote to memory of 1204 1816 Pjblcl32.exe 45 PID 1816 wrote to memory of 1204 1816 Pjblcl32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f92f1f118f8074977eab175fe211f0N.exe"C:\Users\Admin\AppData\Local\Temp\b6f92f1f118f8074977eab175fe211f0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Bbgplq32.exeC:\Windows\system32\Bbgplq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Fkgpaf32.exeC:\Windows\system32\Fkgpaf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe33⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe45⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe46⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Jocalffk.exeC:\Windows\system32\Jocalffk.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Jkjaaglp.exeC:\Windows\system32\Jkjaaglp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe51⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe52⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Kppmpmal.exeC:\Windows\system32\Kppmpmal.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe59⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe63⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe64⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe65⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Nljcflbd.exeC:\Windows\system32\Nljcflbd.exe66⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe68⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe69⤵PID:2304
-
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe70⤵PID:1540
-
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe72⤵PID:2804
-
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe73⤵PID:2692
-
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe75⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe77⤵PID:1124
-
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe78⤵PID:1088
-
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe79⤵PID:2044
-
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe83⤵PID:888
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe84⤵PID:2468
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe86⤵PID:2556
-
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe87⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe88⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe89⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe90⤵PID:2868
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe91⤵PID:2772
-
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe93⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe96⤵PID:2276
-
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe97⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe100⤵PID:1708
-
C:\Windows\SysWOW64\Bphmfo32.exeC:\Windows\system32\Bphmfo32.exe101⤵PID:2760
-
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe102⤵PID:2824
-
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe103⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe104⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe105⤵PID:2020
-
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe107⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe110⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe113⤵
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe114⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe115⤵PID:2860
-
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe116⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe117⤵PID:1704
-
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe118⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe120⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-