Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 21:30 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a953acd0c875431728673fc5d1943890N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a953acd0c875431728673fc5d1943890N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a953acd0c875431728673fc5d1943890N.exe
-
Size
98KB
-
MD5
a953acd0c875431728673fc5d1943890
-
SHA1
400cbe0878d51606c176ede991cc88bc847b9bf3
-
SHA256
ec78da715415fe351dbb3778973f95068330c379a31d51fc537b305b1e729830
-
SHA512
9ad7702bd8b17aa708d45e7238f96404bd8c2c295ca5aaf8e3898898bd01cdb7911b874de5e271d349392f5ca62b1bef578958c8a76ae066f47569a939d483f4
-
SSDEEP
3072:BV55sfjvw4MA92KBnEVeFKPD375lHzpa1P:BV55sfjBpBnEVeYr75lHzpaF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfkhndca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacjjacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpqfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcapd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fliook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbnocipg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmeccao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emdmjamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dipjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghacfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adlcfjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fchkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfepod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkhmdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkpglbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmpibam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalkih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqljc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2952 Ajqljc32.exe 1972 Aqjdgmgd.exe 2696 Aggiigmn.exe 2880 Ajeeeblb.exe 2960 Aqonbm32.exe 2800 Acnjnh32.exe 2660 Aijbfo32.exe 1940 Aodkci32.exe 656 Bmhkmm32.exe 3008 Becpap32.exe 932 Bnldjekl.exe 2844 Bajqfq32.exe 1228 Bkpeci32.exe 1184 Bbjmpcab.exe 2972 Bkbaii32.exe 2516 Bmcnqama.exe 1740 Bgibnj32.exe 1816 Cmfkfa32.exe 1332 Cpdgbm32.exe 328 Cjjkpe32.exe 464 Cacclpae.exe 992 Clmdmm32.exe 2168 Cbgmigeq.exe 1764 Ceeieced.exe 2180 Clpabm32.exe 2092 Cpmjhk32.exe 2264 Cblfdg32.exe 2708 Dobgihgp.exe 2612 Demofaol.exe 2368 Dogpdg32.exe 2912 Dafmqb32.exe 2656 Dpkibo32.exe 2208 Dbifnj32.exe 2948 Dmojkc32.exe 1212 Emagacdm.exe 2836 Ehkhaqpk.exe 1124 Epbpbnan.exe 3024 Ecploipa.exe 2364 Ehmdgp32.exe 2100 Elipgofb.exe 2108 Eaeipfei.exe 3052 Eoiiijcc.exe 636 Eaheeecg.exe 592 Fnofjfhk.exe 1328 Fdiogq32.exe 2356 Fggkcl32.exe 876 Fkbgckgd.exe 2060 Famope32.exe 1144 Fdkklp32.exe 2472 Fcnkhmdp.exe 2856 Fkecij32.exe 2900 Flfpabkp.exe 2776 Fdmhbplb.exe 2668 Fcphnm32.exe 1592 Ffodjh32.exe 1260 Fnflke32.exe 2788 Fjlmpfhg.exe 1284 Gceailog.exe 800 Gbhbdi32.exe 3064 Gjojef32.exe 316 Ghajacmo.exe 1148 Gkpfmnlb.exe 384 Gcgnnlle.exe 556 Gdhkfd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1952 a953acd0c875431728673fc5d1943890N.exe 1952 a953acd0c875431728673fc5d1943890N.exe 2952 Ajqljc32.exe 2952 Ajqljc32.exe 1972 Aqjdgmgd.exe 1972 Aqjdgmgd.exe 2696 Aggiigmn.exe 2696 Aggiigmn.exe 2880 Ajeeeblb.exe 2880 Ajeeeblb.exe 2960 Aqonbm32.exe 2960 Aqonbm32.exe 2800 Acnjnh32.exe 2800 Acnjnh32.exe 2660 Aijbfo32.exe 2660 Aijbfo32.exe 1940 Aodkci32.exe 1940 Aodkci32.exe 656 Bmhkmm32.exe 656 Bmhkmm32.exe 3008 Becpap32.exe 3008 Becpap32.exe 932 Bnldjekl.exe 932 Bnldjekl.exe 2844 Bajqfq32.exe 2844 Bajqfq32.exe 1228 Bkpeci32.exe 1228 Bkpeci32.exe 1184 Bbjmpcab.exe 1184 Bbjmpcab.exe 2972 Bkbaii32.exe 2972 Bkbaii32.exe 2516 Bmcnqama.exe 2516 Bmcnqama.exe 1740 Bgibnj32.exe 1740 Bgibnj32.exe 1816 Cmfkfa32.exe 1816 Cmfkfa32.exe 1332 Cpdgbm32.exe 1332 Cpdgbm32.exe 328 Cjjkpe32.exe 328 Cjjkpe32.exe 464 Cacclpae.exe 464 Cacclpae.exe 992 Clmdmm32.exe 992 Clmdmm32.exe 2168 Cbgmigeq.exe 2168 Cbgmigeq.exe 1764 Ceeieced.exe 1764 Ceeieced.exe 2180 Clpabm32.exe 2180 Clpabm32.exe 2092 Cpmjhk32.exe 2092 Cpmjhk32.exe 2264 Cblfdg32.exe 2264 Cblfdg32.exe 2708 Dobgihgp.exe 2708 Dobgihgp.exe 2612 Demofaol.exe 2612 Demofaol.exe 2368 Dogpdg32.exe 2368 Dogpdg32.exe 2912 Dafmqb32.exe 2912 Dafmqb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nfahomfd.exe Nbflno32.exe File created C:\Windows\SysWOW64\Qiioon32.exe Qgjccb32.exe File created C:\Windows\SysWOW64\Hpdjnn32.dll Jjfkmdlg.exe File created C:\Windows\SysWOW64\Fmihbe32.dll Jigbebhb.exe File opened for modification C:\Windows\SysWOW64\Jmlddeio.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Ckbpqe32.exe Cidddj32.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Djocbqpb.exe File opened for modification C:\Windows\SysWOW64\Alddjg32.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Pgejcl32.dll Hjohmbpd.exe File opened for modification C:\Windows\SysWOW64\Domccejd.exe Dlofgj32.exe File opened for modification C:\Windows\SysWOW64\Eanldqgf.exe Elacliin.exe File opened for modification C:\Windows\SysWOW64\Fkhibino.exe Fleifl32.exe File created C:\Windows\SysWOW64\Kijkje32.exe Kgkonj32.exe File created C:\Windows\SysWOW64\Ajqljc32.exe a953acd0c875431728673fc5d1943890N.exe File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Fplllkdc.exe Fmnopp32.exe File created C:\Windows\SysWOW64\Pblcbn32.exe Popgboae.exe File created C:\Windows\SysWOW64\Hloncd32.dll Alddjg32.exe File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Bnldjekl.exe File created C:\Windows\SysWOW64\Klcdfdcb.dll Mqnifg32.exe File created C:\Windows\SysWOW64\Nflchkii.exe Ncmglp32.exe File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Gmpcgace.exe File opened for modification C:\Windows\SysWOW64\Goplilpf.exe Ggicgopd.exe File created C:\Windows\SysWOW64\Ieajkfmd.exe Ibcnojnp.exe File opened for modification C:\Windows\SysWOW64\Offmipej.exe Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bieopm32.exe File created C:\Windows\SysWOW64\Pihmcioe.dll Pfbfhm32.exe File created C:\Windows\SysWOW64\Ibnhnc32.dll Jggoqimd.exe File opened for modification C:\Windows\SysWOW64\Bieopm32.exe Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Dfmeccao.exe File created C:\Windows\SysWOW64\Aclpaali.exe Alageg32.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Adqaqk32.dll Nbjeinje.exe File opened for modification C:\Windows\SysWOW64\Hjohmbpd.exe Hcepqh32.exe File created C:\Windows\SysWOW64\Ollopmbl.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Lanbhm32.dll Daplkmbg.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Nncgkioi.dll Gncnmane.exe File created C:\Windows\SysWOW64\Oncobd32.dll Knfndjdp.exe File created C:\Windows\SysWOW64\Nlqmmd32.exe Nibqqh32.exe File opened for modification C:\Windows\SysWOW64\Dlljaj32.exe Dinneo32.exe File opened for modification C:\Windows\SysWOW64\Jhoklnkg.exe Jaecod32.exe File created C:\Windows\SysWOW64\Mobomnoq.exe Mkfclo32.exe File created C:\Windows\SysWOW64\Pdgmlhha.exe Paiaplin.exe File created C:\Windows\SysWOW64\Lpcoeb32.exe Ljigih32.exe File created C:\Windows\SysWOW64\Qkielpdf.exe Qemldifo.exe File created C:\Windows\SysWOW64\Alddjg32.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Djlfma32.exe File opened for modification C:\Windows\SysWOW64\Fliook32.exe Fijbco32.exe File opened for modification C:\Windows\SysWOW64\Hmmdin32.exe Hjohmbpd.exe File opened for modification C:\Windows\SysWOW64\Dobgihgp.exe Cblfdg32.exe File created C:\Windows\SysWOW64\Paiaplin.exe Pojecajj.exe File created C:\Windows\SysWOW64\Nlbjim32.dll Pifbjn32.exe File opened for modification C:\Windows\SysWOW64\Lgkkmm32.exe Lpabpcdf.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Epeoaffo.exe File opened for modification C:\Windows\SysWOW64\Iipejmko.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Lpmdgf32.dll Ifolhann.exe File created C:\Windows\SysWOW64\Mlfbgb32.dll Idkpganf.exe File opened for modification C:\Windows\SysWOW64\Fapeic32.exe Fpohakbp.exe File opened for modification C:\Windows\SysWOW64\Kdmban32.exe Klfjpa32.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jfaeme32.exe File created C:\Windows\SysWOW64\Bjnalhgb.dll Cacclpae.exe File created C:\Windows\SysWOW64\Hmalldcn.exe Hifpke32.exe File created C:\Windows\SysWOW64\Bbjjjgna.dll Pjleclph.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8128 8084 WerFault.exe 752 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclicpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeaiime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggggoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkhndca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhicbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keioca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphofem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokfakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpohakbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgmigeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggapbcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegpjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkojbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkgob32.dll" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbfik32.dll" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmgamof.dll" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boadnkpf.dll" Lhfefgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjmbaba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgibnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgnbk32.dll" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikedjg32.dll" Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcgphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphaobfe.dll" Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldhfnkd.dll" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbfbnddq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cblfdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hegpjaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbjbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Goqnae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahemgiea.dll" Epeoaffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elacliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qejpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Ebckmaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdjjm32.dll" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmfcop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldikdp32.dll" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nppofado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnhgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafdnlbb.dll" Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkhip32.dll" Mciabmlo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2952 1952 a953acd0c875431728673fc5d1943890N.exe 30 PID 1952 wrote to memory of 2952 1952 a953acd0c875431728673fc5d1943890N.exe 30 PID 1952 wrote to memory of 2952 1952 a953acd0c875431728673fc5d1943890N.exe 30 PID 1952 wrote to memory of 2952 1952 a953acd0c875431728673fc5d1943890N.exe 30 PID 2952 wrote to memory of 1972 2952 Ajqljc32.exe 31 PID 2952 wrote to memory of 1972 2952 Ajqljc32.exe 31 PID 2952 wrote to memory of 1972 2952 Ajqljc32.exe 31 PID 2952 wrote to memory of 1972 2952 Ajqljc32.exe 31 PID 1972 wrote to memory of 2696 1972 Aqjdgmgd.exe 32 PID 1972 wrote to memory of 2696 1972 Aqjdgmgd.exe 32 PID 1972 wrote to memory of 2696 1972 Aqjdgmgd.exe 32 PID 1972 wrote to memory of 2696 1972 Aqjdgmgd.exe 32 PID 2696 wrote to memory of 2880 2696 Aggiigmn.exe 33 PID 2696 wrote to memory of 2880 2696 Aggiigmn.exe 33 PID 2696 wrote to memory of 2880 2696 Aggiigmn.exe 33 PID 2696 wrote to memory of 2880 2696 Aggiigmn.exe 33 PID 2880 wrote to memory of 2960 2880 Ajeeeblb.exe 34 PID 2880 wrote to memory of 2960 2880 Ajeeeblb.exe 34 PID 2880 wrote to memory of 2960 2880 Ajeeeblb.exe 34 PID 2880 wrote to memory of 2960 2880 Ajeeeblb.exe 34 PID 2960 wrote to memory of 2800 2960 Aqonbm32.exe 35 PID 2960 wrote to memory of 2800 2960 Aqonbm32.exe 35 PID 2960 wrote to memory of 2800 2960 Aqonbm32.exe 35 PID 2960 wrote to memory of 2800 2960 Aqonbm32.exe 35 PID 2800 wrote to memory of 2660 2800 Acnjnh32.exe 36 PID 2800 wrote to memory of 2660 2800 Acnjnh32.exe 36 PID 2800 wrote to memory of 2660 2800 Acnjnh32.exe 36 PID 2800 wrote to memory of 2660 2800 Acnjnh32.exe 36 PID 2660 wrote to memory of 1940 2660 Aijbfo32.exe 37 PID 2660 wrote to memory of 1940 2660 Aijbfo32.exe 37 PID 2660 wrote to memory of 1940 2660 Aijbfo32.exe 37 PID 2660 wrote to memory of 1940 2660 Aijbfo32.exe 37 PID 1940 wrote to memory of 656 1940 Aodkci32.exe 38 PID 1940 wrote to memory of 656 1940 Aodkci32.exe 38 PID 1940 wrote to memory of 656 1940 Aodkci32.exe 38 PID 1940 wrote to memory of 656 1940 Aodkci32.exe 38 PID 656 wrote to memory of 3008 656 Bmhkmm32.exe 39 PID 656 wrote to memory of 3008 656 Bmhkmm32.exe 39 PID 656 wrote to memory of 3008 656 Bmhkmm32.exe 39 PID 656 wrote to memory of 3008 656 Bmhkmm32.exe 39 PID 3008 wrote to memory of 932 3008 Becpap32.exe 40 PID 3008 wrote to memory of 932 3008 Becpap32.exe 40 PID 3008 wrote to memory of 932 3008 Becpap32.exe 40 PID 3008 wrote to memory of 932 3008 Becpap32.exe 40 PID 932 wrote to memory of 2844 932 Bnldjekl.exe 41 PID 932 wrote to memory of 2844 932 Bnldjekl.exe 41 PID 932 wrote to memory of 2844 932 Bnldjekl.exe 41 PID 932 wrote to memory of 2844 932 Bnldjekl.exe 41 PID 2844 wrote to memory of 1228 2844 Bajqfq32.exe 42 PID 2844 wrote to memory of 1228 2844 Bajqfq32.exe 42 PID 2844 wrote to memory of 1228 2844 Bajqfq32.exe 42 PID 2844 wrote to memory of 1228 2844 Bajqfq32.exe 42 PID 1228 wrote to memory of 1184 1228 Bkpeci32.exe 43 PID 1228 wrote to memory of 1184 1228 Bkpeci32.exe 43 PID 1228 wrote to memory of 1184 1228 Bkpeci32.exe 43 PID 1228 wrote to memory of 1184 1228 Bkpeci32.exe 43 PID 1184 wrote to memory of 2972 1184 Bbjmpcab.exe 44 PID 1184 wrote to memory of 2972 1184 Bbjmpcab.exe 44 PID 1184 wrote to memory of 2972 1184 Bbjmpcab.exe 44 PID 1184 wrote to memory of 2972 1184 Bbjmpcab.exe 44 PID 2972 wrote to memory of 2516 2972 Bkbaii32.exe 45 PID 2972 wrote to memory of 2516 2972 Bkbaii32.exe 45 PID 2972 wrote to memory of 2516 2972 Bkbaii32.exe 45 PID 2972 wrote to memory of 2516 2972 Bkbaii32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a953acd0c875431728673fc5d1943890N.exe"C:\Users\Admin\AppData\Local\Temp\a953acd0c875431728673fc5d1943890N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe34⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe35⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe36⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe38⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe39⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe40⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe41⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe43⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe44⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe45⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe46⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe47⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe50⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe52⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe55⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe56⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe57⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe59⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe60⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe61⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe63⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe64⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe65⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe66⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe67⤵PID:1976
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe68⤵PID:2864
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe69⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe71⤵PID:2608
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe72⤵PID:2424
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe73⤵PID:1292
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe75⤵PID:752
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe76⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe77⤵PID:3048
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe78⤵PID:2216
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe79⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe80⤵PID:1676
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe81⤵PID:1696
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe82⤵PID:1620
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe83⤵PID:2324
-
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe84⤵PID:3068
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe85⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe86⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe87⤵PID:2492
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe89⤵PID:840
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe90⤵PID:2964
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe91⤵PID:1848
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe92⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe93⤵PID:2556
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe94⤵PID:2436
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe96⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe97⤵PID:2852
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe98⤵PID:2484
-
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe99⤵PID:1468
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe100⤵PID:2812
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe101⤵PID:1236
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe102⤵PID:2588
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe103⤵PID:2564
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe104⤵
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe105⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe106⤵PID:2316
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe107⤵PID:2148
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe108⤵PID:2860
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe109⤵PID:348
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe110⤵PID:1392
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe111⤵PID:2824
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe112⤵PID:576
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe113⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe115⤵PID:1340
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe116⤵PID:1776
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe117⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe118⤵PID:2152
-
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe119⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe120⤵PID:2648
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe121⤵PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-