Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe
-
Size
80KB
-
MD5
e07d428084e0bae3eaefce1eec812be1
-
SHA1
a78d0ebf065a0141cffbe59d044104cf5cb79908
-
SHA256
634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6
-
SHA512
4fa5f3b4ef2891f70bc7756b0e4b41477d3393ce3da025fd4b2fea02cc5af3d95374e026ea311d419537a8769dbec585235ffee2ed6b3708347ce0248ac2bb29
-
SSDEEP
1536:JcS5Ni4H/F6PGWZ5kPdmc68NPo++++++++++++++++++++++++++++++++SE++yS:rji4HteLZ2PC+++++++++++++++++++v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaacch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boppmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnodob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mideho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noecjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfnpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhagodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maojlaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippflkok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipclej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmhodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqnbffkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqjcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mknbmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljinncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anppiikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeekjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmlbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhclip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pieodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcmchla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfqngom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagehaon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiponlic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pibmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenfnmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdflfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfikmhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ominjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbjlgnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnddkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppacfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjing32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbeoggic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdipnjfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkkkqlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcdpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhhgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmabhfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclnfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mocjeedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmdlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnimgcjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodhbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbncfgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deanooeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafppp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqgkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqgkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immcnikq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkcdgfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpfil32.exe -
Executes dropped EXE 64 IoCs
pid Process 2948 Jedlph32.exe 2096 Jpjpmqjl.exe 2184 Jhedachg.exe 2644 Jckiolgm.exe 2792 Jlcmhann.exe 2536 Jngfei32.exe 3040 Kdehmb32.exe 2920 Knnmeh32.exe 2436 Klcjfdqi.exe 2052 Lnipilbb.exe 584 Ljbmdmfc.exe 2896 Lqnbffkn.exe 852 Mgkghp32.exe 2372 Mpflmbnc.exe 2176 Mbiadm32.exe 2332 Mgfjld32.exe 2000 Nnboonmb.exe 1084 Nlfohb32.exe 1604 Njklioqd.exe 1964 Nphdaeol.exe 2284 Oicfpkci.exe 2248 Opokbdhc.exe 3004 Oigokj32.exe 1560 Obpccped.exe 3064 Okmena32.exe 2760 Pdfifg32.exe 936 Pajjpk32.exe 2632 Pieodn32.exe 2808 Ppacfg32.exe 2708 Pgklcaqi.exe 3036 Qagiio32.exe 3060 Qlmnfh32.exe 2580 Aomghchl.exe 2600 Anjjjn32.exe 2156 Bgbncdmm.exe 940 Bqjcli32.exe 2892 Bciohe32.exe 2832 Boppmf32.exe 944 Belhem32.exe 2228 Boblbe32.exe 2188 Bkimgflg.exe 2164 Cgpnlgak.exe 112 Cbebjpaa.exe 1400 Cgbjbgph.exe 2148 Cmocjn32.exe 932 Cjbccb32.exe 676 Camlpldf.exe 2068 Cfidhcbm.exe 2472 Caohfl32.exe 1208 Cmfikmhg.exe 1612 Deanooeb.exe 2744 Doibhekc.exe 2748 Dolondiq.exe 2392 Dhdcfj32.exe 2540 Dehdpnok.exe 2660 Dmcidqlf.exe 3052 Dglmmf32.exe 2828 Ehkjgi32.exe 1708 Emhbop32.exe 2020 Ecdkgg32.exe 1384 Ephkak32.exe 1760 Elolfl32.exe 692 Egepce32.exe 2288 Eaoadb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe 1756 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe 2948 Jedlph32.exe 2948 Jedlph32.exe 2096 Jpjpmqjl.exe 2096 Jpjpmqjl.exe 2184 Jhedachg.exe 2184 Jhedachg.exe 2644 Jckiolgm.exe 2644 Jckiolgm.exe 2792 Jlcmhann.exe 2792 Jlcmhann.exe 2536 Jngfei32.exe 2536 Jngfei32.exe 3040 Kdehmb32.exe 3040 Kdehmb32.exe 2920 Knnmeh32.exe 2920 Knnmeh32.exe 2436 Klcjfdqi.exe 2436 Klcjfdqi.exe 2052 Lnipilbb.exe 2052 Lnipilbb.exe 584 Ljbmdmfc.exe 584 Ljbmdmfc.exe 2896 Lqnbffkn.exe 2896 Lqnbffkn.exe 852 Mgkghp32.exe 852 Mgkghp32.exe 2372 Mpflmbnc.exe 2372 Mpflmbnc.exe 2176 Mbiadm32.exe 2176 Mbiadm32.exe 2332 Mgfjld32.exe 2332 Mgfjld32.exe 2000 Nnboonmb.exe 2000 Nnboonmb.exe 1084 Nlfohb32.exe 1084 Nlfohb32.exe 1604 Njklioqd.exe 1604 Njklioqd.exe 1964 Nphdaeol.exe 1964 Nphdaeol.exe 2284 Oicfpkci.exe 2284 Oicfpkci.exe 2248 Opokbdhc.exe 2248 Opokbdhc.exe 3004 Oigokj32.exe 3004 Oigokj32.exe 1560 Obpccped.exe 1560 Obpccped.exe 3064 Okmena32.exe 3064 Okmena32.exe 2760 Pdfifg32.exe 2760 Pdfifg32.exe 936 Pajjpk32.exe 936 Pajjpk32.exe 2632 Pieodn32.exe 2632 Pieodn32.exe 2808 Ppacfg32.exe 2808 Ppacfg32.exe 2708 Pgklcaqi.exe 2708 Pgklcaqi.exe 3036 Qagiio32.exe 3036 Qagiio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bcoafcjk.exe Bkcmba32.exe File created C:\Windows\SysWOW64\Jbinbd32.exe Jmlfjn32.exe File opened for modification C:\Windows\SysWOW64\Jbinbd32.exe Jmlfjn32.exe File created C:\Windows\SysWOW64\Mfpjkiol.dll Cobkja32.exe File created C:\Windows\SysWOW64\Hfioha32.exe Hmqjoljn.exe File created C:\Windows\SysWOW64\Ljgneg32.dll Nqamcbcj.exe File created C:\Windows\SysWOW64\Eaacch32.exe Dblgbk32.exe File created C:\Windows\SysWOW64\Oaocoklg.dll Infefqkg.exe File created C:\Windows\SysWOW64\Ebljbhhn.dll Oigokj32.exe File opened for modification C:\Windows\SysWOW64\Cgpnlgak.exe Bkimgflg.exe File created C:\Windows\SysWOW64\Ilblbnaf.dll Nfmlhjfb.exe File opened for modification C:\Windows\SysWOW64\Bllcke32.exe Bdekjg32.exe File opened for modification C:\Windows\SysWOW64\Ggohlf32.exe Godcgcca.exe File created C:\Windows\SysWOW64\Dfoplkel.exe Dmfkcf32.exe File created C:\Windows\SysWOW64\Eiabbicf.exe Eioemj32.exe File opened for modification C:\Windows\SysWOW64\Hglobj32.exe Hcnfllcd.exe File created C:\Windows\SysWOW64\Fbledk32.dll Mfkcdgfi.exe File created C:\Windows\SysWOW64\Ooljkbfj.dll Dpldkf32.exe File created C:\Windows\SysWOW64\Geqnneeh.dll Glanpi32.exe File created C:\Windows\SysWOW64\Fcoeeb32.dll Cjppclkp.exe File created C:\Windows\SysWOW64\Agongp32.dll Mqcnjnol.exe File created C:\Windows\SysWOW64\Ppafopqq.exe Ppoijq32.exe File created C:\Windows\SysWOW64\Hnfigmhk.exe Hbohblcg.exe File created C:\Windows\SysWOW64\Fpecfg32.dll Dnkjlg32.exe File opened for modification C:\Windows\SysWOW64\Cgbjbgph.exe Cbebjpaa.exe File opened for modification C:\Windows\SysWOW64\Dhdcfj32.exe Dolondiq.exe File created C:\Windows\SysWOW64\Gdfoaq32.dll Kbkgfgam.exe File created C:\Windows\SysWOW64\Ngiikmmj.exe Nfglcd32.exe File opened for modification C:\Windows\SysWOW64\Dgmidn32.exe Cnddkh32.exe File created C:\Windows\SysWOW64\Hmhgjahb.exe Hglobj32.exe File created C:\Windows\SysWOW64\Njlqpp32.dll Hmqjoljn.exe File opened for modification C:\Windows\SysWOW64\Mmmkdo32.exe Mjnohc32.exe File opened for modification C:\Windows\SysWOW64\Acdhen32.exe Akical32.exe File created C:\Windows\SysWOW64\Ebfhilpd.dll Nqffoa32.exe File created C:\Windows\SysWOW64\Mocjeedn.exe Maojlaed.exe File opened for modification C:\Windows\SysWOW64\Papogbef.exe Ppoboj32.exe File created C:\Windows\SysWOW64\Igdhhidc.dll Papogbef.exe File created C:\Windows\SysWOW64\Ippflkok.exe Inqjbhhh.exe File created C:\Windows\SysWOW64\Pkhagodb.exe Papmnj32.exe File created C:\Windows\SysWOW64\Bpbnpchg.dll Lkpoahgm.exe File created C:\Windows\SysWOW64\Nqffoa32.exe Njlnbg32.exe File opened for modification C:\Windows\SysWOW64\Qjmmkgga.exe Qmilachg.exe File created C:\Windows\SysWOW64\Apchim32.exe Aiipmb32.exe File created C:\Windows\SysWOW64\Pacjefjn.dll 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe File opened for modification C:\Windows\SysWOW64\Ekaegbnd.exe Eeemol32.exe File created C:\Windows\SysWOW64\Gbdeimnj.dll Hdeekjmc.exe File opened for modification C:\Windows\SysWOW64\Maojlaed.exe Moanpe32.exe File created C:\Windows\SysWOW64\Pbqkgihm.dll Llnepb32.exe File opened for modification C:\Windows\SysWOW64\Pibkdhbi.exe Ppjfkb32.exe File created C:\Windows\SysWOW64\Dmfkcf32.exe Cobkja32.exe File created C:\Windows\SysWOW64\Klhjlbpq.dll Dchcdn32.exe File created C:\Windows\SysWOW64\Nblfkgml.dll Iihkea32.exe File created C:\Windows\SysWOW64\Glccgc32.dll Minika32.exe File created C:\Windows\SysWOW64\Qagehaon.exe Qjmmkgga.exe File opened for modification C:\Windows\SysWOW64\Pajjpk32.exe Pdfifg32.exe File opened for modification C:\Windows\SysWOW64\Ephkak32.exe Ecdkgg32.exe File created C:\Windows\SysWOW64\Ppffcjlb.dll Gcnjmi32.exe File opened for modification C:\Windows\SysWOW64\Hjeacf32.exe Hiahfo32.exe File created C:\Windows\SysWOW64\Ngmbfl32.exe Nbqjne32.exe File created C:\Windows\SysWOW64\Nmlgcbei.exe Ngpokkgb.exe File created C:\Windows\SysWOW64\Epkjoc32.exe Eiabbicf.exe File created C:\Windows\SysWOW64\Dlqjdd32.dll Klipfpeh.exe File created C:\Windows\SysWOW64\Jopaallm.dll Inkimc32.exe File created C:\Windows\SysWOW64\Hdikch32.exe Hkqgkcpp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4312 4124 WerFault.exe 463 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bloidc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njklioqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancfbhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcidqlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofghbgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocoodjan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjmmkgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olijen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infefqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpabgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglfkebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pceeei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaadb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfiemfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kogehdqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoncjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honpqaff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opokbdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elolfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdikch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obkegbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgjhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhclip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbhfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Looajf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncqik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmnck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfqngom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemank32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpflmbnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmggnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilicgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqnicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaacch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchcdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glanpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjopbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmpejph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpnlgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpama32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klipfpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfflnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkimgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoinj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqgkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmpenbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoafcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhofpm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehkjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbpomi32.dll" Hglobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnahchlo.dll" Mhfckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eioemj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmocjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caohfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doibhekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfnomon.dll" Jejgcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdodel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgoakbll.dll" Hbohblcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aghdboal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfigmch.dll" Bcoafcjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdenoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnimgcjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cchfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcphlmdp.dll" Inecnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epckkeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmajoob.dll" Qmilachg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bomneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpiakqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmoogpom.dll" Kdipnjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glnqfd32.dll" Eenfnmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fedinobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblfnhfg.dll" Jpfikjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmlfjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Damjhhne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjabc32.dll" Nlpamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolpph32.dll" Ppoboj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqplml32.dll" Fpjmkhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbjfjnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeakadfd.dll" Ijacgnjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maojlaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obpccped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddcqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkjibnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebpil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onadck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggohlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pceeei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkoip32.dll" Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiemh32.dll" Lajgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idblbjen.dll" Bdddpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecdkgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cchnjh32.dll" Pfflnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepfllhh.dll" Anppiikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppoboj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benolo32.dll" Mbiadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnoih32.dll" Nlfohb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpnikda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godcgcca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjppclkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgoojgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kilhnd32.dll" Jngfei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkghlag.dll" Cjbccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alemjfpc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2948 1756 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe 29 PID 1756 wrote to memory of 2948 1756 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe 29 PID 1756 wrote to memory of 2948 1756 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe 29 PID 1756 wrote to memory of 2948 1756 634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe 29 PID 2948 wrote to memory of 2096 2948 Jedlph32.exe 30 PID 2948 wrote to memory of 2096 2948 Jedlph32.exe 30 PID 2948 wrote to memory of 2096 2948 Jedlph32.exe 30 PID 2948 wrote to memory of 2096 2948 Jedlph32.exe 30 PID 2096 wrote to memory of 2184 2096 Jpjpmqjl.exe 31 PID 2096 wrote to memory of 2184 2096 Jpjpmqjl.exe 31 PID 2096 wrote to memory of 2184 2096 Jpjpmqjl.exe 31 PID 2096 wrote to memory of 2184 2096 Jpjpmqjl.exe 31 PID 2184 wrote to memory of 2644 2184 Jhedachg.exe 32 PID 2184 wrote to memory of 2644 2184 Jhedachg.exe 32 PID 2184 wrote to memory of 2644 2184 Jhedachg.exe 32 PID 2184 wrote to memory of 2644 2184 Jhedachg.exe 32 PID 2644 wrote to memory of 2792 2644 Jckiolgm.exe 33 PID 2644 wrote to memory of 2792 2644 Jckiolgm.exe 33 PID 2644 wrote to memory of 2792 2644 Jckiolgm.exe 33 PID 2644 wrote to memory of 2792 2644 Jckiolgm.exe 33 PID 2792 wrote to memory of 2536 2792 Jlcmhann.exe 34 PID 2792 wrote to memory of 2536 2792 Jlcmhann.exe 34 PID 2792 wrote to memory of 2536 2792 Jlcmhann.exe 34 PID 2792 wrote to memory of 2536 2792 Jlcmhann.exe 34 PID 2536 wrote to memory of 3040 2536 Jngfei32.exe 35 PID 2536 wrote to memory of 3040 2536 Jngfei32.exe 35 PID 2536 wrote to memory of 3040 2536 Jngfei32.exe 35 PID 2536 wrote to memory of 3040 2536 Jngfei32.exe 35 PID 3040 wrote to memory of 2920 3040 Kdehmb32.exe 36 PID 3040 wrote to memory of 2920 3040 Kdehmb32.exe 36 PID 3040 wrote to memory of 2920 3040 Kdehmb32.exe 36 PID 3040 wrote to memory of 2920 3040 Kdehmb32.exe 36 PID 2920 wrote to memory of 2436 2920 Knnmeh32.exe 37 PID 2920 wrote to memory of 2436 2920 Knnmeh32.exe 37 PID 2920 wrote to memory of 2436 2920 Knnmeh32.exe 37 PID 2920 wrote to memory of 2436 2920 Knnmeh32.exe 37 PID 2436 wrote to memory of 2052 2436 Klcjfdqi.exe 38 PID 2436 wrote to memory of 2052 2436 Klcjfdqi.exe 38 PID 2436 wrote to memory of 2052 2436 Klcjfdqi.exe 38 PID 2436 wrote to memory of 2052 2436 Klcjfdqi.exe 38 PID 2052 wrote to memory of 584 2052 Lnipilbb.exe 39 PID 2052 wrote to memory of 584 2052 Lnipilbb.exe 39 PID 2052 wrote to memory of 584 2052 Lnipilbb.exe 39 PID 2052 wrote to memory of 584 2052 Lnipilbb.exe 39 PID 584 wrote to memory of 2896 584 Ljbmdmfc.exe 40 PID 584 wrote to memory of 2896 584 Ljbmdmfc.exe 40 PID 584 wrote to memory of 2896 584 Ljbmdmfc.exe 40 PID 584 wrote to memory of 2896 584 Ljbmdmfc.exe 40 PID 2896 wrote to memory of 852 2896 Lqnbffkn.exe 41 PID 2896 wrote to memory of 852 2896 Lqnbffkn.exe 41 PID 2896 wrote to memory of 852 2896 Lqnbffkn.exe 41 PID 2896 wrote to memory of 852 2896 Lqnbffkn.exe 41 PID 852 wrote to memory of 2372 852 Mgkghp32.exe 42 PID 852 wrote to memory of 2372 852 Mgkghp32.exe 42 PID 852 wrote to memory of 2372 852 Mgkghp32.exe 42 PID 852 wrote to memory of 2372 852 Mgkghp32.exe 42 PID 2372 wrote to memory of 2176 2372 Mpflmbnc.exe 43 PID 2372 wrote to memory of 2176 2372 Mpflmbnc.exe 43 PID 2372 wrote to memory of 2176 2372 Mpflmbnc.exe 43 PID 2372 wrote to memory of 2176 2372 Mpflmbnc.exe 43 PID 2176 wrote to memory of 2332 2176 Mbiadm32.exe 44 PID 2176 wrote to memory of 2332 2176 Mbiadm32.exe 44 PID 2176 wrote to memory of 2332 2176 Mbiadm32.exe 44 PID 2176 wrote to memory of 2332 2176 Mbiadm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe"C:\Users\Admin\AppData\Local\Temp\634a3f469cc386d34d280a8eb0a0d860cce406779c4b66f2f6e8950f060f94f6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Jedlph32.exeC:\Windows\system32\Jedlph32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Jpjpmqjl.exeC:\Windows\system32\Jpjpmqjl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Jhedachg.exeC:\Windows\system32\Jhedachg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Jckiolgm.exeC:\Windows\system32\Jckiolgm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jlcmhann.exeC:\Windows\system32\Jlcmhann.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Jngfei32.exeC:\Windows\system32\Jngfei32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kdehmb32.exeC:\Windows\system32\Kdehmb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Knnmeh32.exeC:\Windows\system32\Knnmeh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Klcjfdqi.exeC:\Windows\system32\Klcjfdqi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Lnipilbb.exeC:\Windows\system32\Lnipilbb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ljbmdmfc.exeC:\Windows\system32\Ljbmdmfc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Lqnbffkn.exeC:\Windows\system32\Lqnbffkn.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mgkghp32.exeC:\Windows\system32\Mgkghp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Mpflmbnc.exeC:\Windows\system32\Mpflmbnc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Mgfjld32.exeC:\Windows\system32\Mgfjld32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Nnboonmb.exeC:\Windows\system32\Nnboonmb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Nlfohb32.exeC:\Windows\system32\Nlfohb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Njklioqd.exeC:\Windows\system32\Njklioqd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Nphdaeol.exeC:\Windows\system32\Nphdaeol.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Oicfpkci.exeC:\Windows\system32\Oicfpkci.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Opokbdhc.exeC:\Windows\system32\Opokbdhc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Oigokj32.exeC:\Windows\system32\Oigokj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Obpccped.exeC:\Windows\system32\Obpccped.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Pdfifg32.exeC:\Windows\system32\Pdfifg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Pajjpk32.exeC:\Windows\system32\Pajjpk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Pieodn32.exeC:\Windows\system32\Pieodn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Ppacfg32.exeC:\Windows\system32\Ppacfg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Pgklcaqi.exeC:\Windows\system32\Pgklcaqi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Qagiio32.exeC:\Windows\system32\Qagiio32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Aomghchl.exeC:\Windows\system32\Aomghchl.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe35⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bgbncdmm.exeC:\Windows\system32\Bgbncdmm.exe36⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bciohe32.exeC:\Windows\system32\Bciohe32.exe38⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Boppmf32.exeC:\Windows\system32\Boppmf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Belhem32.exeC:\Windows\system32\Belhem32.exe40⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Boblbe32.exeC:\Windows\system32\Boblbe32.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Bkimgflg.exeC:\Windows\system32\Bkimgflg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Cbebjpaa.exeC:\Windows\system32\Cbebjpaa.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Cgbjbgph.exeC:\Windows\system32\Cgbjbgph.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Cmocjn32.exeC:\Windows\system32\Cmocjn32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Cjbccb32.exeC:\Windows\system32\Cjbccb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Camlpldf.exeC:\Windows\system32\Camlpldf.exe48⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Cfidhcbm.exeC:\Windows\system32\Cfidhcbm.exe49⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Caohfl32.exeC:\Windows\system32\Caohfl32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Cmfikmhg.exeC:\Windows\system32\Cmfikmhg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Deanooeb.exeC:\Windows\system32\Deanooeb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Dolondiq.exeC:\Windows\system32\Dolondiq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Dhdcfj32.exeC:\Windows\system32\Dhdcfj32.exe55⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Dehdpnok.exeC:\Windows\system32\Dehdpnok.exe56⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Dmcidqlf.exeC:\Windows\system32\Dmcidqlf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Dglmmf32.exeC:\Windows\system32\Dglmmf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Ehkjgi32.exeC:\Windows\system32\Ehkjgi32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Emhbop32.exeC:\Windows\system32\Emhbop32.exe60⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ecdkgg32.exeC:\Windows\system32\Ecdkgg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ephkak32.exeC:\Windows\system32\Ephkak32.exe62⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Elolfl32.exeC:\Windows\system32\Elolfl32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Egepce32.exeC:\Windows\system32\Egepce32.exe64⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Eaoadb32.exeC:\Windows\system32\Eaoadb32.exe65⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe66⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Foencfda.exeC:\Windows\system32\Foencfda.exe67⤵PID:1648
-
C:\Windows\SysWOW64\Fddcqm32.exeC:\Windows\system32\Fddcqm32.exe68⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe69⤵PID:1676
-
C:\Windows\SysWOW64\Fnodob32.exeC:\Windows\system32\Fnodob32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Gdimlllq.exeC:\Windows\system32\Gdimlllq.exe71⤵PID:2408
-
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Gcnjmi32.exeC:\Windows\system32\Gcnjmi32.exe73⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Godjaj32.exeC:\Windows\system32\Godjaj32.exe74⤵PID:1588
-
C:\Windows\SysWOW64\Gjjoob32.exeC:\Windows\system32\Gjjoob32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe76⤵PID:2604
-
C:\Windows\SysWOW64\Gfaodclg.exeC:\Windows\system32\Gfaodclg.exe77⤵PID:2612
-
C:\Windows\SysWOW64\Gnldhf32.exeC:\Windows\system32\Gnldhf32.exe78⤵PID:3056
-
C:\Windows\SysWOW64\Hiahfo32.exeC:\Windows\system32\Hiahfo32.exe79⤵
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Hjeacf32.exeC:\Windows\system32\Hjeacf32.exe80⤵PID:1428
-
C:\Windows\SysWOW64\Hcnfllcd.exeC:\Windows\system32\Hcnfllcd.exe81⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Hglobj32.exeC:\Windows\system32\Hglobj32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe83⤵PID:2724
-
C:\Windows\SysWOW64\Hcbogk32.exeC:\Windows\system32\Hcbogk32.exe84⤵PID:2980
-
C:\Windows\SysWOW64\Hafppp32.exeC:\Windows\system32\Hafppp32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1200 -
C:\Windows\SysWOW64\Icdllk32.exeC:\Windows\system32\Icdllk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Iiaddb32.exeC:\Windows\system32\Iiaddb32.exe87⤵PID:960
-
C:\Windows\SysWOW64\Ibjing32.exeC:\Windows\system32\Ibjing32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Imomkp32.exeC:\Windows\system32\Imomkp32.exe89⤵PID:1176
-
C:\Windows\SysWOW64\Inqjbhhh.exeC:\Windows\system32\Inqjbhhh.exe90⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ippflkok.exeC:\Windows\system32\Ippflkok.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Iihkea32.exeC:\Windows\system32\Iihkea32.exe92⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Inecnh32.exeC:\Windows\system32\Inecnh32.exe93⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ilicgl32.exeC:\Windows\system32\Ilicgl32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Jbclcf32.exeC:\Windows\system32\Jbclcf32.exe95⤵PID:3044
-
C:\Windows\SysWOW64\Jjnqhh32.exeC:\Windows\system32\Jjnqhh32.exe96⤵PID:3028
-
C:\Windows\SysWOW64\Klipfpeh.exeC:\Windows\system32\Klipfpeh.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Kdinea32.exeC:\Windows\system32\Kdinea32.exe98⤵PID:544
-
C:\Windows\SysWOW64\Kdkkkqlk.exeC:\Windows\system32\Kdkkkqlk.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Ldbalp32.exeC:\Windows\system32\Ldbalp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Lfcmchla.exeC:\Windows\system32\Lfcmchla.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Llnepb32.exeC:\Windows\system32\Llnepb32.exe102⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Lgcjmkcd.exeC:\Windows\system32\Lgcjmkcd.exe103⤵PID:828
-
C:\Windows\SysWOW64\Mhfckc32.exeC:\Windows\system32\Mhfckc32.exe104⤵
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Mfkcdgfi.exeC:\Windows\system32\Mfkcdgfi.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Mnfhhicd.exeC:\Windows\system32\Mnfhhicd.exe106⤵PID:2992
-
C:\Windows\SysWOW64\Mdpqec32.exeC:\Windows\system32\Mdpqec32.exe107⤵PID:2076
-
C:\Windows\SysWOW64\Mkjibnbn.exeC:\Windows\system32\Mkjibnbn.exe108⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Mbcaoh32.exeC:\Windows\system32\Mbcaoh32.exe109⤵PID:3068
-
C:\Windows\SysWOW64\Minika32.exeC:\Windows\system32\Minika32.exe110⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Mnjaci32.exeC:\Windows\system32\Mnjaci32.exe111⤵PID:2204
-
C:\Windows\SysWOW64\Mknbmm32.exeC:\Windows\system32\Mknbmm32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Negffbdi.exeC:\Windows\system32\Negffbdi.exe113⤵PID:2840
-
C:\Windows\SysWOW64\Njconi32.exeC:\Windows\system32\Njconi32.exe114⤵PID:2976
-
C:\Windows\SysWOW64\Nfjpcjhe.exeC:\Windows\system32\Nfjpcjhe.exe115⤵PID:2492
-
C:\Windows\SysWOW64\Npcdlp32.exeC:\Windows\system32\Npcdlp32.exe116⤵PID:924
-
C:\Windows\SysWOW64\Nfmlhjfb.exeC:\Windows\system32\Nfmlhjfb.exe117⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Nlieqa32.exeC:\Windows\system32\Nlieqa32.exe118⤵PID:984
-
C:\Windows\SysWOW64\Nfoinj32.exeC:\Windows\system32\Nfoinj32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Npgngokp.exeC:\Windows\system32\Npgngokp.exe120⤵PID:2212
-
C:\Windows\SysWOW64\Nhbbkahk.exeC:\Windows\system32\Nhbbkahk.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-