Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 22:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccb9c6717880b45c25620a5e32662d90N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ccb9c6717880b45c25620a5e32662d90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ccb9c6717880b45c25620a5e32662d90N.exe
-
Size
276KB
-
MD5
ccb9c6717880b45c25620a5e32662d90
-
SHA1
1b0a899dc6a91489f0d19d314a6da44cdf04bdd3
-
SHA256
135933b067474d197bde8fcacbf49bdd724118ee3ed86e084400d236c2c786b7
-
SHA512
9e372ae01e5811f67a6f2950e7cffe0e57c645a6083084136f47181fe26b36632f9430ae9083f63def011b04aa6217915737a40906e745adf48916e2196c19e5
-
SSDEEP
6144:o7nrUbK+TzLimdZMGXF5ahdt3rM8d7TtLa:+rs1PL9XFWtJ9O
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffcbce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkjjbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfqclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onggom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Legcjjjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcnqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkbdbbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfhfjgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdieaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehilgikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqoqlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noighakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmhij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebhjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjngnod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlncdio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obniel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obffpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbfhfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cldolj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fagqed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmqckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmeiei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemfahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjfdpckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpmonea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgglcqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijpjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lielphqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnbccia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccinnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ccb9c6717880b45c25620a5e32662d90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaolad32.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Mkqbhf32.exe 2728 Mkconepp.exe 2816 Mdkcgk32.exe 2844 Moahdd32.exe 2180 Njjieace.exe 2676 Ndpmbjbk.exe 2292 Nqgngk32.exe 2240 Nfcfob32.exe 2144 Ngcbie32.exe 1632 Ncjcnfcn.exe 2688 Olehbh32.exe 1160 Olgehh32.exe 2508 Oljanhmc.exe 1876 Oebffm32.exe 2012 Obffpa32.exe 2340 Olokighn.exe 772 Ompgqonl.exe 2492 Pfhlie32.exe 1972 Panpgn32.exe 2432 Pjfdpckc.exe 916 Pdnihiad.exe 1684 Pjhaec32.exe 1464 Pdqfnhpa.exe 2552 Pinnfonh.exe 1592 Pmijgn32.exe 2304 Pbfcoedi.exe 3024 Qpjchicb.exe 2800 Qbhpddbf.exe 2752 Qibhao32.exe 1732 Qbkljd32.exe 2616 Qdlialfb.exe 1528 Aoamoefh.exe 2560 Adnegldo.exe 276 Anfjpa32.exe 348 Ahlnmjkf.exe 1896 Agonig32.exe 2976 Adcobk32.exe 996 Agakog32.exe 1124 Agchdfmk.exe 1036 Ajbdpblo.exe 2316 Boolhikf.exe 3032 Bgfdjfkh.exe 1220 Bhgaan32.exe 1168 Bpnibl32.exe 2000 Bjgmka32.exe 992 Bhjngnod.exe 1848 Bkhjcing.exe 1392 Bocfch32.exe 2804 Bfnnpbnn.exe 2820 Bkjfhile.exe 2924 Bofbih32.exe 2624 Bfpkfb32.exe 2788 Bhngbm32.exe 2588 Bohoogbk.exe 2160 Bqilfp32.exe 3000 Bhqdgm32.exe 2680 Cjbpoeoj.exe 2880 Cbihpbpl.exe 408 Cdgdlnop.exe 3040 Ckamihfm.exe 2468 Cnpieceq.exe 1384 Cdjabn32.exe 2108 Cfknjfbl.exe 2364 Cjfjjd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1456 ccb9c6717880b45c25620a5e32662d90N.exe 1456 ccb9c6717880b45c25620a5e32662d90N.exe 2700 Mkqbhf32.exe 2700 Mkqbhf32.exe 2728 Mkconepp.exe 2728 Mkconepp.exe 2816 Mdkcgk32.exe 2816 Mdkcgk32.exe 2844 Moahdd32.exe 2844 Moahdd32.exe 2180 Njjieace.exe 2180 Njjieace.exe 2676 Ndpmbjbk.exe 2676 Ndpmbjbk.exe 2292 Nqgngk32.exe 2292 Nqgngk32.exe 2240 Nfcfob32.exe 2240 Nfcfob32.exe 2144 Ngcbie32.exe 2144 Ngcbie32.exe 1632 Ncjcnfcn.exe 1632 Ncjcnfcn.exe 2688 Olehbh32.exe 2688 Olehbh32.exe 1160 Olgehh32.exe 1160 Olgehh32.exe 2508 Oljanhmc.exe 2508 Oljanhmc.exe 1876 Oebffm32.exe 1876 Oebffm32.exe 2012 Obffpa32.exe 2012 Obffpa32.exe 2340 Olokighn.exe 2340 Olokighn.exe 772 Ompgqonl.exe 772 Ompgqonl.exe 2492 Pfhlie32.exe 2492 Pfhlie32.exe 1972 Panpgn32.exe 1972 Panpgn32.exe 2432 Pjfdpckc.exe 2432 Pjfdpckc.exe 916 Pdnihiad.exe 916 Pdnihiad.exe 1684 Pjhaec32.exe 1684 Pjhaec32.exe 1464 Pdqfnhpa.exe 1464 Pdqfnhpa.exe 2552 Pinnfonh.exe 2552 Pinnfonh.exe 1592 Pmijgn32.exe 1592 Pmijgn32.exe 2304 Pbfcoedi.exe 2304 Pbfcoedi.exe 3024 Qpjchicb.exe 3024 Qpjchicb.exe 2800 Qbhpddbf.exe 2800 Qbhpddbf.exe 2752 Qibhao32.exe 2752 Qibhao32.exe 1732 Qbkljd32.exe 1732 Qbkljd32.exe 2616 Qdlialfb.exe 2616 Qdlialfb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkconepp.exe Mkqbhf32.exe File created C:\Windows\SysWOW64\Njbfpe32.dll Mjeholco.exe File created C:\Windows\SysWOW64\Enckek32.dll Fdemap32.exe File created C:\Windows\SysWOW64\Gokmnlcf.exe Gllabp32.exe File created C:\Windows\SysWOW64\Fhlpince.dll Mgglcqdk.exe File opened for modification C:\Windows\SysWOW64\Oeobfgak.exe Omhjejai.exe File created C:\Windows\SysWOW64\Njmlqd32.dll Ojnhdn32.exe File opened for modification C:\Windows\SysWOW64\Pnjpdphd.exe Pddlggin.exe File created C:\Windows\SysWOW64\Gfgfed32.dll Elbkbh32.exe File opened for modification C:\Windows\SysWOW64\Pdnihiad.exe Pjfdpckc.exe File created C:\Windows\SysWOW64\Npgpnq32.dll Cfmjoe32.exe File opened for modification C:\Windows\SysWOW64\Gohqhl32.exe Gljdlq32.exe File created C:\Windows\SysWOW64\Imaglc32.exe Ijbjpg32.exe File created C:\Windows\SysWOW64\Kiccle32.exe Kehgkgha.exe File opened for modification C:\Windows\SysWOW64\Khkmba32.exe Kdoaackf.exe File created C:\Windows\SysWOW64\Ghbode32.dll Adcobk32.exe File opened for modification C:\Windows\SysWOW64\Edfqclni.exe Emlhfb32.exe File created C:\Windows\SysWOW64\Ppnmbd32.exe Pmoqfi32.exe File created C:\Windows\SysWOW64\Aihjpman.exe Akejdp32.exe File created C:\Windows\SysWOW64\Cobkhe32.exe Cldolj32.exe File opened for modification C:\Windows\SysWOW64\Dnmhogjo.exe Dkolblkk.exe File created C:\Windows\SysWOW64\Djngjb32.dll Dndoof32.exe File opened for modification C:\Windows\SysWOW64\Kldlmqml.exe Kdmdlc32.exe File created C:\Windows\SysWOW64\Qjcmoqlf.exe Qhdabemb.exe File opened for modification C:\Windows\SysWOW64\Dnjeoa32.exe Djoinbpm.exe File created C:\Windows\SysWOW64\Mmfolail.dll Qbhpddbf.exe File created C:\Windows\SysWOW64\Figoefkf.exe Fdjfmolo.exe File created C:\Windows\SysWOW64\Enqgpadi.dll Fangfcki.exe File created C:\Windows\SysWOW64\Mlfebcnd.exe Lihifhoq.exe File created C:\Windows\SysWOW64\Nhmbfhfd.exe Njjbjk32.exe File opened for modification C:\Windows\SysWOW64\Djoinbpm.exe Cgpmbgai.exe File created C:\Windows\SysWOW64\Lophcpam.exe Llalgdbj.exe File opened for modification C:\Windows\SysWOW64\Dkolblkk.exe Dippfplg.exe File created C:\Windows\SysWOW64\Mkljhe32.dll Denglpkc.exe File created C:\Windows\SysWOW64\Jkocglhl.dll Ggphji32.exe File opened for modification C:\Windows\SysWOW64\Bnfodojp.exe Bkgchckl.exe File opened for modification C:\Windows\SysWOW64\Bnjipn32.exe Bfcqoqeh.exe File created C:\Windows\SysWOW64\Hjegejfl.dll Cclkcdpl.exe File created C:\Windows\SysWOW64\Aebpnp32.dll Cmeffp32.exe File created C:\Windows\SysWOW64\Macnjk32.exe Mcpmonea.exe File created C:\Windows\SysWOW64\Bnpdkcam.dll Mpmdff32.exe File opened for modification C:\Windows\SysWOW64\Eimien32.exe Ebcqicem.exe File created C:\Windows\SysWOW64\Eeffpn32.exe Ebhjdc32.exe File opened for modification C:\Windows\SysWOW64\Fdjfmolo.exe Fpojlp32.exe File opened for modification C:\Windows\SysWOW64\Hancef32.exe Hopgikop.exe File created C:\Windows\SysWOW64\Apdobg32.exe Amfcfk32.exe File opened for modification C:\Windows\SysWOW64\Clbbfj32.exe Chfffk32.exe File created C:\Windows\SysWOW64\Pnpbecig.dll Cdpdpl32.exe File created C:\Windows\SysWOW64\Imfkindn.dll Ncjcnfcn.exe File created C:\Windows\SysWOW64\Pdnihiad.exe Pjfdpckc.exe File created C:\Windows\SysWOW64\Dkolblkk.exe Dippfplg.exe File created C:\Windows\SysWOW64\Lqicio32.dll Clpeajjb.exe File opened for modification C:\Windows\SysWOW64\Eeffpn32.exe Ebhjdc32.exe File created C:\Windows\SysWOW64\Ljhnpb32.dll Fhlhmi32.exe File created C:\Windows\SysWOW64\Gachcl32.dll Ijegeg32.exe File created C:\Windows\SysWOW64\Knijji32.dll Mhmfgdch.exe File created C:\Windows\SysWOW64\Aioppl32.exe Aahhoo32.exe File created C:\Windows\SysWOW64\Lilmmghh.dll Cbagdq32.exe File created C:\Windows\SysWOW64\Cdgdlnop.exe Cbihpbpl.exe File created C:\Windows\SysWOW64\Fillabde.exe Faedpdcc.exe File created C:\Windows\SysWOW64\Lihifhoq.exe Lcnqin32.exe File created C:\Windows\SysWOW64\Anogmi32.dll Aajedn32.exe File created C:\Windows\SysWOW64\Difikhen.dll Bohoogbk.exe File created C:\Windows\SysWOW64\Naegmigc.dll Cdjabn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4748 5108 WerFault.exe 455 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogjbbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbioilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpjnahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faimkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngppgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hancef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfhjfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnefiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbhpddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cconcjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emieflec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpeimhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llooad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkcgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmlnmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeeeijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccb9c6717880b45c25620a5e32662d90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qolmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnonjqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddlggin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdemap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfkefad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodknifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmomelml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgemgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhljnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faopib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgpjjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplgljbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhhgahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpnmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbgak32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Panpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkooeblb.dll" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahpdficc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebhjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chickknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdjabn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fagqed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glhhgahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghkmd32.dll" Jjgpjjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnpjec32.dll" Mnjnolap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaebeiqd.dll" Aoamoefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpmmd32.dll" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbfhjfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lknbjlnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggcnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldijj32.dll" Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqpaln32.dll" Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinelbbc.dll" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coehnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoeplp.dll" Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdbiikn.dll" Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqpgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajepnn.dll" Jjimpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lophcpam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emieflec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghpngkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moahdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabfoqib.dll" Dippfplg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdciq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lindbn32.dll" Ebemnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggkoojip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpkkbcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmmoflm.dll" Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njbfpe32.dll" Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccinnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpiffngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eenckc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbcdjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glgqlkdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpabid32.dll" Hqcpfcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kononm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpfagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecipl32.dll" Ehilgikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolilcpb.dll" Cjfjjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdieaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllio32.dll" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdoaackf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnefiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpfagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llalgdbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enlncdio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdfdn32.dll" Ephhmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1456 wrote to memory of 2700 1456 ccb9c6717880b45c25620a5e32662d90N.exe 29 PID 1456 wrote to memory of 2700 1456 ccb9c6717880b45c25620a5e32662d90N.exe 29 PID 1456 wrote to memory of 2700 1456 ccb9c6717880b45c25620a5e32662d90N.exe 29 PID 1456 wrote to memory of 2700 1456 ccb9c6717880b45c25620a5e32662d90N.exe 29 PID 2700 wrote to memory of 2728 2700 Mkqbhf32.exe 30 PID 2700 wrote to memory of 2728 2700 Mkqbhf32.exe 30 PID 2700 wrote to memory of 2728 2700 Mkqbhf32.exe 30 PID 2700 wrote to memory of 2728 2700 Mkqbhf32.exe 30 PID 2728 wrote to memory of 2816 2728 Mkconepp.exe 31 PID 2728 wrote to memory of 2816 2728 Mkconepp.exe 31 PID 2728 wrote to memory of 2816 2728 Mkconepp.exe 31 PID 2728 wrote to memory of 2816 2728 Mkconepp.exe 31 PID 2816 wrote to memory of 2844 2816 Mdkcgk32.exe 32 PID 2816 wrote to memory of 2844 2816 Mdkcgk32.exe 32 PID 2816 wrote to memory of 2844 2816 Mdkcgk32.exe 32 PID 2816 wrote to memory of 2844 2816 Mdkcgk32.exe 32 PID 2844 wrote to memory of 2180 2844 Moahdd32.exe 33 PID 2844 wrote to memory of 2180 2844 Moahdd32.exe 33 PID 2844 wrote to memory of 2180 2844 Moahdd32.exe 33 PID 2844 wrote to memory of 2180 2844 Moahdd32.exe 33 PID 2180 wrote to memory of 2676 2180 Njjieace.exe 34 PID 2180 wrote to memory of 2676 2180 Njjieace.exe 34 PID 2180 wrote to memory of 2676 2180 Njjieace.exe 34 PID 2180 wrote to memory of 2676 2180 Njjieace.exe 34 PID 2676 wrote to memory of 2292 2676 Ndpmbjbk.exe 35 PID 2676 wrote to memory of 2292 2676 Ndpmbjbk.exe 35 PID 2676 wrote to memory of 2292 2676 Ndpmbjbk.exe 35 PID 2676 wrote to memory of 2292 2676 Ndpmbjbk.exe 35 PID 2292 wrote to memory of 2240 2292 Nqgngk32.exe 36 PID 2292 wrote to memory of 2240 2292 Nqgngk32.exe 36 PID 2292 wrote to memory of 2240 2292 Nqgngk32.exe 36 PID 2292 wrote to memory of 2240 2292 Nqgngk32.exe 36 PID 2240 wrote to memory of 2144 2240 Nfcfob32.exe 37 PID 2240 wrote to memory of 2144 2240 Nfcfob32.exe 37 PID 2240 wrote to memory of 2144 2240 Nfcfob32.exe 37 PID 2240 wrote to memory of 2144 2240 Nfcfob32.exe 37 PID 2144 wrote to memory of 1632 2144 Ngcbie32.exe 38 PID 2144 wrote to memory of 1632 2144 Ngcbie32.exe 38 PID 2144 wrote to memory of 1632 2144 Ngcbie32.exe 38 PID 2144 wrote to memory of 1632 2144 Ngcbie32.exe 38 PID 1632 wrote to memory of 2688 1632 Ncjcnfcn.exe 39 PID 1632 wrote to memory of 2688 1632 Ncjcnfcn.exe 39 PID 1632 wrote to memory of 2688 1632 Ncjcnfcn.exe 39 PID 1632 wrote to memory of 2688 1632 Ncjcnfcn.exe 39 PID 2688 wrote to memory of 1160 2688 Olehbh32.exe 40 PID 2688 wrote to memory of 1160 2688 Olehbh32.exe 40 PID 2688 wrote to memory of 1160 2688 Olehbh32.exe 40 PID 2688 wrote to memory of 1160 2688 Olehbh32.exe 40 PID 1160 wrote to memory of 2508 1160 Olgehh32.exe 41 PID 1160 wrote to memory of 2508 1160 Olgehh32.exe 41 PID 1160 wrote to memory of 2508 1160 Olgehh32.exe 41 PID 1160 wrote to memory of 2508 1160 Olgehh32.exe 41 PID 2508 wrote to memory of 1876 2508 Oljanhmc.exe 42 PID 2508 wrote to memory of 1876 2508 Oljanhmc.exe 42 PID 2508 wrote to memory of 1876 2508 Oljanhmc.exe 42 PID 2508 wrote to memory of 1876 2508 Oljanhmc.exe 42 PID 1876 wrote to memory of 2012 1876 Oebffm32.exe 43 PID 1876 wrote to memory of 2012 1876 Oebffm32.exe 43 PID 1876 wrote to memory of 2012 1876 Oebffm32.exe 43 PID 1876 wrote to memory of 2012 1876 Oebffm32.exe 43 PID 2012 wrote to memory of 2340 2012 Obffpa32.exe 44 PID 2012 wrote to memory of 2340 2012 Obffpa32.exe 44 PID 2012 wrote to memory of 2340 2012 Obffpa32.exe 44 PID 2012 wrote to memory of 2340 2012 Obffpa32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb9c6717880b45c25620a5e32662d90N.exe"C:\Users\Admin\AppData\Local\Temp\ccb9c6717880b45c25620a5e32662d90N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mdkcgk32.exeC:\Windows\system32\Mdkcgk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Olgehh32.exeC:\Windows\system32\Olgehh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Adnegldo.exeC:\Windows\system32\Adnegldo.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe35⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe36⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe37⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe39⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe40⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe41⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Boolhikf.exeC:\Windows\system32\Boolhikf.exe42⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe43⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe44⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe50⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe54⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe56⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe57⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe58⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe60⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe61⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe62⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe66⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe67⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe68⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe69⤵PID:1600
-
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe70⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe71⤵PID:2836
-
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe76⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe77⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe79⤵PID:1364
-
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe80⤵PID:2600
-
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe81⤵PID:1044
-
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe82⤵PID:1964
-
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe83⤵PID:2096
-
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe84⤵PID:2208
-
C:\Windows\SysWOW64\Djibogkn.exeC:\Windows\system32\Djibogkn.exe85⤵PID:1660
-
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe86⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe87⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe88⤵PID:2632
-
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe89⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe90⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe92⤵
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe94⤵PID:544
-
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe95⤵PID:2424
-
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe97⤵PID:920
-
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe98⤵PID:2408
-
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe100⤵PID:1572
-
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe101⤵PID:3020
-
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe102⤵PID:2932
-
C:\Windows\SysWOW64\Eleobngo.exeC:\Windows\system32\Eleobngo.exe103⤵PID:2672
-
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe104⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe105⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe106⤵PID:2172
-
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe107⤵
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe108⤵PID:1740
-
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe112⤵PID:2092
-
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe114⤵PID:2960
-
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe115⤵PID:2140
-
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe116⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe117⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe118⤵PID:2252
-
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe119⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe120⤵PID:1968
-
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe121⤵
- Modifies registry class
PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-