Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 18:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe
-
Size
89KB
-
MD5
507684ed0b611a41b23aa06a7ca2bc10
-
SHA1
f12ac7aad533be8e6264120d1330ba4c16a1638b
-
SHA256
0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e
-
SHA512
2240a08fba59eb7accb9398a54b14040136a8c5a5ecba961c62a26a91f3450db9b1095b6d76152d53679d184e5818a8e60549b440efa2ae95d16db2e0a6c19f2
-
SSDEEP
1536:Q4Mio6eSuCC7iA9X8PRzAbJHuXyfDwgqk+IV4vPrjRQ9D68a+VMKKTRVGFtUhQf1:zxCp9GgJHIyfDw1oV43Hekr4MKy3G7Ug
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mammfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlkmnmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lplqoiai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmhodi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekkga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bllednao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmiccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlpbbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Membbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofhejdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjhhacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oglgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpcdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cljemaem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccmjkmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhdfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjmkdpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjohlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpfil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkigb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdlpbbmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiipmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clqknppe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnbgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paelcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plqjilia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dninfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofbhlbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plecdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjgnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cngebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pceeei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dngaahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkhedlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onaflccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phjgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcciiope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdpbnlbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjijhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfkblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amnemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Banggcka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiponlic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnmqbaeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbhlbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogcddjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okcjphdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdfgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cheoma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjfjhje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklhpfho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibanm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkabejfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljemaem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngaahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcjmkdpl.exe -
Executes dropped EXE 64 IoCs
pid Process 2768 Jfecfb32.exe 2288 Jmplbl32.exe 2392 Jgeppe32.exe 2836 Jjcllq32.exe 2876 Jandikbp.exe 2620 Jiiimmok.exe 2624 Kbanfbfk.exe 3068 Kikfbm32.exe 404 Kliboh32.exe 2024 Kbcjkbdi.exe 2792 Kimbhl32.exe 1796 Kbfgab32.exe 2164 Kiponlic.exe 916 Kbhdfa32.exe 2304 Kefpbm32.exe 3008 Koodlbeh.exe 2788 Keimhmmd.exe 1344 Lkeeqckl.exe 2168 Loaaab32.exe 1364 Lhjfjhje.exe 584 Lkhbfcii.exe 3020 Lmfnbohm.exe 2400 Lpejnj32.exe 1660 Lgobkdom.exe 2200 Limogpna.exe 2844 Lllkckme.exe 2052 Ledplq32.exe 2756 Llnhikkb.exe 2608 Loldefjf.exe 2152 Lgclfc32.exe 2404 Libhbo32.exe 2012 Llpdnj32.exe 1164 Lplqoiai.exe 2480 Looajf32.exe 2896 Mcjmkdpl.exe 1140 Mammfa32.exe 1956 Mideho32.exe 1044 Mlbadj32.exe 2432 Mkeapgng.exe 308 Mekfmp32.exe 2488 Mdnfhldh.exe 1548 Mlenijej.exe 832 Mocjeedn.exe 3040 Mnfjab32.exe 2556 Mabfaqca.exe 1624 Membbo32.exe 2684 Mdpbnlbe.exe 2752 Mhlonk32.exe 2872 Mofgkebk.exe 2664 Madcgpao.exe 2216 Mdbocl32.exe 2180 Mhnkdjhl.exe 2440 Mklhpfho.exe 2548 Mjohlb32.exe 2308 Mnkdlagc.exe 2536 Mdelik32.exe 1544 Mchldhej.exe 1720 Mgcheg32.exe 2204 Njadab32.exe 2244 Nnmqbaeq.exe 924 Nqlmnldd.exe 264 Ncjijhch.exe 3024 Ngeekfka.exe 1708 Njdagbjd.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe 2412 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe 2768 Jfecfb32.exe 2768 Jfecfb32.exe 2288 Jmplbl32.exe 2288 Jmplbl32.exe 2392 Jgeppe32.exe 2392 Jgeppe32.exe 2836 Jjcllq32.exe 2836 Jjcllq32.exe 2876 Jandikbp.exe 2876 Jandikbp.exe 2620 Jiiimmok.exe 2620 Jiiimmok.exe 2624 Kbanfbfk.exe 2624 Kbanfbfk.exe 3068 Kikfbm32.exe 3068 Kikfbm32.exe 404 Kliboh32.exe 404 Kliboh32.exe 2024 Kbcjkbdi.exe 2024 Kbcjkbdi.exe 2792 Kimbhl32.exe 2792 Kimbhl32.exe 1796 Kbfgab32.exe 1796 Kbfgab32.exe 2164 Kiponlic.exe 2164 Kiponlic.exe 916 Kbhdfa32.exe 916 Kbhdfa32.exe 2304 Kefpbm32.exe 2304 Kefpbm32.exe 3008 Koodlbeh.exe 3008 Koodlbeh.exe 2788 Keimhmmd.exe 2788 Keimhmmd.exe 1344 Lkeeqckl.exe 1344 Lkeeqckl.exe 2168 Loaaab32.exe 2168 Loaaab32.exe 1364 Lhjfjhje.exe 1364 Lhjfjhje.exe 584 Lkhbfcii.exe 584 Lkhbfcii.exe 3020 Lmfnbohm.exe 3020 Lmfnbohm.exe 2400 Lpejnj32.exe 2400 Lpejnj32.exe 1660 Lgobkdom.exe 1660 Lgobkdom.exe 2200 Limogpna.exe 2200 Limogpna.exe 2844 Lllkckme.exe 2844 Lllkckme.exe 2052 Ledplq32.exe 2052 Ledplq32.exe 2756 Llnhikkb.exe 2756 Llnhikkb.exe 2608 Loldefjf.exe 2608 Loldefjf.exe 2152 Lgclfc32.exe 2152 Lgclfc32.exe 2404 Libhbo32.exe 2404 Libhbo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbhdfa32.exe Kiponlic.exe File created C:\Windows\SysWOW64\Ojhgad32.exe Oeloin32.exe File created C:\Windows\SysWOW64\Gapgkelp.dll Lmfnbohm.exe File created C:\Windows\SysWOW64\Bbdakh32.exe Bkmijk32.exe File created C:\Windows\SysWOW64\Bdlccoje.exe Banggcka.exe File created C:\Windows\SysWOW64\Dgoejm32.exe Dcciiope.exe File created C:\Windows\SysWOW64\Dnkjlg32.exe Dfdbkj32.exe File opened for modification C:\Windows\SysWOW64\Qhldiljp.exe Pengmqkl.exe File opened for modification C:\Windows\SysWOW64\Akafff32.exe Affjehkb.exe File created C:\Windows\SysWOW64\Bkmijk32.exe Ahnmno32.exe File opened for modification C:\Windows\SysWOW64\Bkoepj32.exe Bllednao.exe File created C:\Windows\SysWOW64\Nihnhkla.dll Bllednao.exe File created C:\Windows\SysWOW64\Dmqgmcba.exe Diekle32.exe File opened for modification C:\Windows\SysWOW64\Ncjijhch.exe Nqlmnldd.exe File created C:\Windows\SysWOW64\Eghkce32.dll Ogeajjnl.exe File created C:\Windows\SysWOW64\Onojepoj.dll Cbkgqgpo.exe File opened for modification C:\Windows\SysWOW64\Cdlpbbmp.exe Cfipgf32.exe File opened for modification C:\Windows\SysWOW64\Mdelik32.exe Mnkdlagc.exe File opened for modification C:\Windows\SysWOW64\Bjgoff32.exe Bkdokjdd.exe File created C:\Windows\SysWOW64\Kbnecdem.dll Nqlmnldd.exe File created C:\Windows\SysWOW64\Kjeinc32.dll Nkjgiiln.exe File opened for modification C:\Windows\SysWOW64\Nhnhcnkg.exe Nbdpfc32.exe File created C:\Windows\SysWOW64\Phjgdm32.exe Pekkga32.exe File opened for modification C:\Windows\SysWOW64\Abmkjiqg.exe Apoonnac.exe File created C:\Windows\SysWOW64\Ckfhom32.exe Cgjlonld.exe File created C:\Windows\SysWOW64\Dqmljind.dll Llpdnj32.exe File created C:\Windows\SysWOW64\Bfodehjl.dll Mofgkebk.exe File created C:\Windows\SysWOW64\Pphlokep.exe Paelcn32.exe File created C:\Windows\SysWOW64\Pceeei32.exe Plnmcl32.exe File created C:\Windows\SysWOW64\Pabkmb32.exe Pndoqf32.exe File created C:\Windows\SysWOW64\Qfaqji32.exe Qdcdnm32.exe File created C:\Windows\SysWOW64\Ahlphpmk.exe Aiipmb32.exe File created C:\Windows\SysWOW64\Oljkfp32.dll Aofhejdh.exe File created C:\Windows\SysWOW64\Onmmad32.exe Ogcddjpo.exe File opened for modification C:\Windows\SysWOW64\Onmmad32.exe Ogcddjpo.exe File created C:\Windows\SysWOW64\Mgigbjhh.dll Ddcfca32.exe File opened for modification C:\Windows\SysWOW64\Bebmgc32.exe Bbdakh32.exe File opened for modification C:\Windows\SysWOW64\Dgoejm32.exe Dcciiope.exe File created C:\Windows\SysWOW64\Qaecoekp.dll Dfdbkj32.exe File created C:\Windows\SysWOW64\Aaomhmnf.dll Kbanfbfk.exe File opened for modification C:\Windows\SysWOW64\Ofohfeoo.exe Oglgji32.exe File created C:\Windows\SysWOW64\Qhldiljp.exe Pengmqkl.exe File created C:\Windows\SysWOW64\Gcebjedc.dll Cfbifgln.exe File created C:\Windows\SysWOW64\Cdlpbbmp.exe Cfipgf32.exe File opened for modification C:\Windows\SysWOW64\Ddcfca32.exe Dmlnbd32.exe File created C:\Windows\SysWOW64\Mekfmp32.exe Mkeapgng.exe File created C:\Windows\SysWOW64\Gmhamo32.dll Phjgdm32.exe File opened for modification C:\Windows\SysWOW64\Oqnfbo32.exe Onojfd32.exe File opened for modification C:\Windows\SysWOW64\Oeibcnmf.exe Oqnfbo32.exe File created C:\Windows\SysWOW64\Knjbcd32.dll Pabkmb32.exe File created C:\Windows\SysWOW64\Qdcdnm32.exe Qepdbpii.exe File created C:\Windows\SysWOW64\Aaiamamk.exe Amnemb32.exe File created C:\Windows\SysWOW64\Afkcqg32.exe Aocloj32.exe File created C:\Windows\SysWOW64\Mofgkebk.exe Mhlonk32.exe File opened for modification C:\Windows\SysWOW64\Oibanm32.exe Oqkimp32.exe File opened for modification C:\Windows\SysWOW64\Bnpoaeek.exe Bkabejfg.exe File opened for modification C:\Windows\SysWOW64\Dnkjlg32.exe Dfdbkj32.exe File opened for modification C:\Windows\SysWOW64\Nhlkmnmj.exe Njikba32.exe File created C:\Windows\SysWOW64\Noecjh32.exe Nkjgiiln.exe File created C:\Windows\SysWOW64\Jgclpoad.dll Ofbhlbja.exe File created C:\Windows\SysWOW64\Gckadb32.dll Piejbpgk.exe File created C:\Windows\SysWOW64\Pahelkpb.dll Pengmqkl.exe File created C:\Windows\SysWOW64\Gpnlhk32.dll Jjcllq32.exe File opened for modification C:\Windows\SysWOW64\Lhjfjhje.exe Loaaab32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3988 3928 WerFault.exe 264 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhldiljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkmnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncaokgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdjgnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcllq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplqoiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcdhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclfpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcqgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqemmcqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqjghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhinhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcddjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpplglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdflfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okcjphdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndoqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjillfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdopiohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmqgmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkeapgng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocjeedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfjab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpoaeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjhhacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjohlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiamamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodlbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbhlbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlpbbmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimbhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkdlagc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepdbpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeekfka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akafff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedjmcgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjecn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbifgln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jandikbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madcgpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbncmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeeqckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlenijej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiimmok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmoke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibanm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbfgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqnicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkblc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmmejgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheoma32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oglgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmploq.dll" Pphlokep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaddaecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkdokjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmoogpom.dll" Kefpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noajoihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmaah32.dll" Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjcllq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oghnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abmkjiqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aocloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpnp32.dll" Jmplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqegbnnl.dll" Ngeekfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonpin32.dll" Nclfpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhjhefb.dll" Plnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qohilfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiphm32.dll" Dgabomfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkjgiiln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmlmhodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bebmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedeee32.dll" Comkdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddcfca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plqjilia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anklmjnm.dll" Pcchoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepenl32.dll" Aiipmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkabejfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpejnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdnfhldh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofbhlbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgoqjl32.dll" Paelcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmilachg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfplgpp.dll" Dgoejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilmem32.dll" Lllkckme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnfjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injhic32.dll" Oglgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclknd32.dll" Adhnillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jigijb32.dll" Bkmijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genpkk32.dll" Cohaimea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfdbkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njdagbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfgpj32.dll" Noajoihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlhpjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmpod32.dll" Keimhmmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loaaab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mammfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlbncmih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdopiohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjigghbi.dll" Dnkjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhinhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdkeh32.dll" Nbacqdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omgcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibegmbph.dll" Pmnino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjbcd32.dll" Pabkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgpef32.dll" Cheoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolqqf32.dll" Kbfgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppoboj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhamo32.dll" Phjgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbanfbfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loldefjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhlonk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcjmkdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mideho32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2768 2412 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe 29 PID 2412 wrote to memory of 2768 2412 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe 29 PID 2412 wrote to memory of 2768 2412 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe 29 PID 2412 wrote to memory of 2768 2412 0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe 29 PID 2768 wrote to memory of 2288 2768 Jfecfb32.exe 30 PID 2768 wrote to memory of 2288 2768 Jfecfb32.exe 30 PID 2768 wrote to memory of 2288 2768 Jfecfb32.exe 30 PID 2768 wrote to memory of 2288 2768 Jfecfb32.exe 30 PID 2288 wrote to memory of 2392 2288 Jmplbl32.exe 31 PID 2288 wrote to memory of 2392 2288 Jmplbl32.exe 31 PID 2288 wrote to memory of 2392 2288 Jmplbl32.exe 31 PID 2288 wrote to memory of 2392 2288 Jmplbl32.exe 31 PID 2392 wrote to memory of 2836 2392 Jgeppe32.exe 32 PID 2392 wrote to memory of 2836 2392 Jgeppe32.exe 32 PID 2392 wrote to memory of 2836 2392 Jgeppe32.exe 32 PID 2392 wrote to memory of 2836 2392 Jgeppe32.exe 32 PID 2836 wrote to memory of 2876 2836 Jjcllq32.exe 33 PID 2836 wrote to memory of 2876 2836 Jjcllq32.exe 33 PID 2836 wrote to memory of 2876 2836 Jjcllq32.exe 33 PID 2836 wrote to memory of 2876 2836 Jjcllq32.exe 33 PID 2876 wrote to memory of 2620 2876 Jandikbp.exe 34 PID 2876 wrote to memory of 2620 2876 Jandikbp.exe 34 PID 2876 wrote to memory of 2620 2876 Jandikbp.exe 34 PID 2876 wrote to memory of 2620 2876 Jandikbp.exe 34 PID 2620 wrote to memory of 2624 2620 Jiiimmok.exe 35 PID 2620 wrote to memory of 2624 2620 Jiiimmok.exe 35 PID 2620 wrote to memory of 2624 2620 Jiiimmok.exe 35 PID 2620 wrote to memory of 2624 2620 Jiiimmok.exe 35 PID 2624 wrote to memory of 3068 2624 Kbanfbfk.exe 36 PID 2624 wrote to memory of 3068 2624 Kbanfbfk.exe 36 PID 2624 wrote to memory of 3068 2624 Kbanfbfk.exe 36 PID 2624 wrote to memory of 3068 2624 Kbanfbfk.exe 36 PID 3068 wrote to memory of 404 3068 Kikfbm32.exe 37 PID 3068 wrote to memory of 404 3068 Kikfbm32.exe 37 PID 3068 wrote to memory of 404 3068 Kikfbm32.exe 37 PID 3068 wrote to memory of 404 3068 Kikfbm32.exe 37 PID 404 wrote to memory of 2024 404 Kliboh32.exe 38 PID 404 wrote to memory of 2024 404 Kliboh32.exe 38 PID 404 wrote to memory of 2024 404 Kliboh32.exe 38 PID 404 wrote to memory of 2024 404 Kliboh32.exe 38 PID 2024 wrote to memory of 2792 2024 Kbcjkbdi.exe 39 PID 2024 wrote to memory of 2792 2024 Kbcjkbdi.exe 39 PID 2024 wrote to memory of 2792 2024 Kbcjkbdi.exe 39 PID 2024 wrote to memory of 2792 2024 Kbcjkbdi.exe 39 PID 2792 wrote to memory of 1796 2792 Kimbhl32.exe 40 PID 2792 wrote to memory of 1796 2792 Kimbhl32.exe 40 PID 2792 wrote to memory of 1796 2792 Kimbhl32.exe 40 PID 2792 wrote to memory of 1796 2792 Kimbhl32.exe 40 PID 1796 wrote to memory of 2164 1796 Kbfgab32.exe 41 PID 1796 wrote to memory of 2164 1796 Kbfgab32.exe 41 PID 1796 wrote to memory of 2164 1796 Kbfgab32.exe 41 PID 1796 wrote to memory of 2164 1796 Kbfgab32.exe 41 PID 2164 wrote to memory of 916 2164 Kiponlic.exe 42 PID 2164 wrote to memory of 916 2164 Kiponlic.exe 42 PID 2164 wrote to memory of 916 2164 Kiponlic.exe 42 PID 2164 wrote to memory of 916 2164 Kiponlic.exe 42 PID 916 wrote to memory of 2304 916 Kbhdfa32.exe 43 PID 916 wrote to memory of 2304 916 Kbhdfa32.exe 43 PID 916 wrote to memory of 2304 916 Kbhdfa32.exe 43 PID 916 wrote to memory of 2304 916 Kbhdfa32.exe 43 PID 2304 wrote to memory of 3008 2304 Kefpbm32.exe 44 PID 2304 wrote to memory of 3008 2304 Kefpbm32.exe 44 PID 2304 wrote to memory of 3008 2304 Kefpbm32.exe 44 PID 2304 wrote to memory of 3008 2304 Kefpbm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe"C:\Users\Admin\AppData\Local\Temp\0361062b90acd9ca4949082c9d121f6f15ebef99f0f5ce7b9fcf8edd7f32fd3e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Jfecfb32.exeC:\Windows\system32\Jfecfb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jmplbl32.exeC:\Windows\system32\Jmplbl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Jgeppe32.exeC:\Windows\system32\Jgeppe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Jjcllq32.exeC:\Windows\system32\Jjcllq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jandikbp.exeC:\Windows\system32\Jandikbp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jiiimmok.exeC:\Windows\system32\Jiiimmok.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kbanfbfk.exeC:\Windows\system32\Kbanfbfk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Kikfbm32.exeC:\Windows\system32\Kikfbm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Kliboh32.exeC:\Windows\system32\Kliboh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Kbcjkbdi.exeC:\Windows\system32\Kbcjkbdi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Kimbhl32.exeC:\Windows\system32\Kimbhl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kbfgab32.exeC:\Windows\system32\Kbfgab32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Kiponlic.exeC:\Windows\system32\Kiponlic.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Kbhdfa32.exeC:\Windows\system32\Kbhdfa32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Kefpbm32.exeC:\Windows\system32\Kefpbm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Koodlbeh.exeC:\Windows\system32\Koodlbeh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Keimhmmd.exeC:\Windows\system32\Keimhmmd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Lkeeqckl.exeC:\Windows\system32\Lkeeqckl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Loaaab32.exeC:\Windows\system32\Loaaab32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lhjfjhje.exeC:\Windows\system32\Lhjfjhje.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Lkhbfcii.exeC:\Windows\system32\Lkhbfcii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Lmfnbohm.exeC:\Windows\system32\Lmfnbohm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Lpejnj32.exeC:\Windows\system32\Lpejnj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Lgobkdom.exeC:\Windows\system32\Lgobkdom.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Limogpna.exeC:\Windows\system32\Limogpna.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Lllkckme.exeC:\Windows\system32\Lllkckme.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Ledplq32.exeC:\Windows\system32\Ledplq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Llnhikkb.exeC:\Windows\system32\Llnhikkb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Loldefjf.exeC:\Windows\system32\Loldefjf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Lgclfc32.exeC:\Windows\system32\Lgclfc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Libhbo32.exeC:\Windows\system32\Libhbo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Llpdnj32.exeC:\Windows\system32\Llpdnj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Lplqoiai.exeC:\Windows\system32\Lplqoiai.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Looajf32.exeC:\Windows\system32\Looajf32.exe35⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Mcjmkdpl.exeC:\Windows\system32\Mcjmkdpl.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mammfa32.exeC:\Windows\system32\Mammfa32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Mideho32.exeC:\Windows\system32\Mideho32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Mlbadj32.exeC:\Windows\system32\Mlbadj32.exe39⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mkeapgng.exeC:\Windows\system32\Mkeapgng.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Mekfmp32.exeC:\Windows\system32\Mekfmp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Mdnfhldh.exeC:\Windows\system32\Mdnfhldh.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Mlenijej.exeC:\Windows\system32\Mlenijej.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Mocjeedn.exeC:\Windows\system32\Mocjeedn.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Mnfjab32.exeC:\Windows\system32\Mnfjab32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Mabfaqca.exeC:\Windows\system32\Mabfaqca.exe46⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Membbo32.exeC:\Windows\system32\Membbo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mdpbnlbe.exeC:\Windows\system32\Mdpbnlbe.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mhlonk32.exeC:\Windows\system32\Mhlonk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Mofgkebk.exeC:\Windows\system32\Mofgkebk.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Madcgpao.exeC:\Windows\system32\Madcgpao.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Mdbocl32.exeC:\Windows\system32\Mdbocl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Mhnkdjhl.exeC:\Windows\system32\Mhnkdjhl.exe53⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mklhpfho.exeC:\Windows\system32\Mklhpfho.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Mjohlb32.exeC:\Windows\system32\Mjohlb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Mnkdlagc.exeC:\Windows\system32\Mnkdlagc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Mdelik32.exeC:\Windows\system32\Mdelik32.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Mchldhej.exeC:\Windows\system32\Mchldhej.exe58⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mgcheg32.exeC:\Windows\system32\Mgcheg32.exe59⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Njadab32.exeC:\Windows\system32\Njadab32.exe60⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Nnmqbaeq.exeC:\Windows\system32\Nnmqbaeq.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nqlmnldd.exeC:\Windows\system32\Nqlmnldd.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Ncjijhch.exeC:\Windows\system32\Ncjijhch.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ngeekfka.exeC:\Windows\system32\Ngeekfka.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Njdagbjd.exeC:\Windows\system32\Njdagbjd.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Nlbncmih.exeC:\Windows\system32\Nlbncmih.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Nqnicl32.exeC:\Windows\system32\Nqnicl32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Noajoihl.exeC:\Windows\system32\Noajoihl.exe68⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Nclfpg32.exeC:\Windows\system32\Nclfpg32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Nfkblc32.exeC:\Windows\system32\Nfkblc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Nhinhn32.exeC:\Windows\system32\Nhinhn32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Nqpfil32.exeC:\Windows\system32\Nqpfil32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Nocfdhfi.exeC:\Windows\system32\Nocfdhfi.exe73⤵PID:1980
-
C:\Windows\SysWOW64\Nbacqdem.exeC:\Windows\system32\Nbacqdem.exe74⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Njikba32.exeC:\Windows\system32\Njikba32.exe75⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Nhlkmnmj.exeC:\Windows\system32\Nhlkmnmj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Nkjgiiln.exeC:\Windows\system32\Nkjgiiln.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Noecjh32.exeC:\Windows\system32\Noecjh32.exe78⤵PID:1048
-
C:\Windows\SysWOW64\Ncaokgmp.exeC:\Windows\system32\Ncaokgmp.exe79⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Nbdpfc32.exeC:\Windows\system32\Nbdpfc32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Nhnhcnkg.exeC:\Windows\system32\Nhnhcnkg.exe81⤵PID:2260
-
C:\Windows\SysWOW64\Nmiccl32.exeC:\Windows\system32\Nmiccl32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Ofbhlbja.exeC:\Windows\system32\Ofbhlbja.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Oipdhm32.exeC:\Windows\system32\Oipdhm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Ogcddjpo.exeC:\Windows\system32\Ogcddjpo.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Onmmad32.exeC:\Windows\system32\Onmmad32.exe86⤵PID:2708
-
C:\Windows\SysWOW64\Oqkimp32.exeC:\Windows\system32\Oqkimp32.exe87⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Oibanm32.exeC:\Windows\system32\Oibanm32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Ogeajjnl.exeC:\Windows\system32\Ogeajjnl.exe89⤵
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Ojdnfemp.exeC:\Windows\system32\Ojdnfemp.exe90⤵PID:2784
-
C:\Windows\SysWOW64\Onojfd32.exeC:\Windows\system32\Onojfd32.exe91⤵
- Drops file in System32 directory
PID:492 -
C:\Windows\SysWOW64\Oqnfbo32.exeC:\Windows\system32\Oqnfbo32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Oeibcnmf.exeC:\Windows\system32\Oeibcnmf.exe93⤵PID:2916
-
C:\Windows\SysWOW64\Oghnoi32.exeC:\Windows\system32\Oghnoi32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Okcjphdc.exeC:\Windows\system32\Okcjphdc.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Onaflccf.exeC:\Windows\system32\Onaflccf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Omdfgq32.exeC:\Windows\system32\Omdfgq32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Oeloin32.exeC:\Windows\system32\Oeloin32.exe98⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ojhgad32.exeC:\Windows\system32\Ojhgad32.exe99⤵PID:1352
-
C:\Windows\SysWOW64\Omgcmp32.exeC:\Windows\system32\Omgcmp32.exe100⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Oabonopg.exeC:\Windows\system32\Oabonopg.exe101⤵PID:2704
-
C:\Windows\SysWOW64\Opepik32.exeC:\Windows\system32\Opepik32.exe102⤵PID:3060
-
C:\Windows\SysWOW64\Oglgji32.exeC:\Windows\system32\Oglgji32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Ofohfeoo.exeC:\Windows\system32\Ofohfeoo.exe104⤵PID:2776
-
C:\Windows\SysWOW64\Oindba32.exeC:\Windows\system32\Oindba32.exe105⤵PID:2156
-
C:\Windows\SysWOW64\Omipbpfl.exeC:\Windows\system32\Omipbpfl.exe106⤵PID:1008
-
C:\Windows\SysWOW64\Paelcn32.exeC:\Windows\system32\Paelcn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Pphlokep.exeC:\Windows\system32\Pphlokep.exe108⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pcchoj32.exeC:\Windows\system32\Pcchoj32.exe109⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Pfadke32.exeC:\Windows\system32\Pfadke32.exe110⤵PID:776
-
C:\Windows\SysWOW64\Pmlmhodi.exeC:\Windows\system32\Pmlmhodi.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Plnmcl32.exeC:\Windows\system32\Plnmcl32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Pceeei32.exeC:\Windows\system32\Pceeei32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Pfdaae32.exeC:\Windows\system32\Pfdaae32.exe114⤵PID:2612
-
C:\Windows\SysWOW64\Pmnino32.exeC:\Windows\system32\Pmnino32.exe115⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Plqjilia.exeC:\Windows\system32\Plqjilia.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Pnofeghe.exeC:\Windows\system32\Pnofeghe.exe117⤵PID:2056
-
C:\Windows\SysWOW64\Pbkbff32.exeC:\Windows\system32\Pbkbff32.exe118⤵PID:1828
-
C:\Windows\SysWOW64\Piejbpgk.exeC:\Windows\system32\Piejbpgk.exe119⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Phgjnm32.exeC:\Windows\system32\Phgjnm32.exe120⤵PID:2552
-
C:\Windows\SysWOW64\Ppoboj32.exeC:\Windows\system32\Ppoboj32.exe121⤵
- Modifies registry class
PID:1420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-