Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 22:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe
-
Size
96KB
-
MD5
736aba5702e115c0084e4d5f3a5b1977
-
SHA1
47abb7599fd3abd570037d57d44152401daa8fba
-
SHA256
561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94
-
SHA512
df281dc9ade5ee8fce42120a35c2d91407613f019a95f716fc0bedd181b779d41cb0183beba7161b37e8abae2594ba59271b9be62e410de88a3560e7a708b910
-
SSDEEP
1536:tCCY3FQ109l0SG0fkfGshVmct0Ru6OMW4zBYe9MbinV39+ChnSdFFn7Elz45zFVI:gFGm9lvmBvkRu1KYAMbqV39ThSdn7El3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicpnhbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajdniep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepianef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moflkfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iencdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anhdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnknqpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfifmghc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbghkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkopifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llainlje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnaokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbkig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlejkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhnmckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkabmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifjnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmjkapi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjcleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcljdpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaljdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcknjidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpapgnpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkcoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjjkefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnaokn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccaodgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbilhkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbccklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbkoabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfcbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgboogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfjhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbncof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajoebigm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdljghj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcqfifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpqgkpcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdbfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfilnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqimoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpomnilc.exe -
Executes dropped EXE 64 IoCs
pid Process 3004 Hffjng32.exe 2968 Heijidbn.exe 2144 Hlcbfnjk.exe 1636 Ibmkbh32.exe 2860 Iekgod32.exe 2760 Ihjcko32.exe 2264 Iockhigl.exe 2296 Iencdc32.exe 2680 Ilhlan32.exe 2796 Iofhmi32.exe 2460 Ieppjclf.exe 2084 Idcqep32.exe 2044 Iljifm32.exe 1260 Ioheci32.exe 2056 Iebmpcjc.exe 2516 Idemkp32.exe 1496 Ikoehj32.exe 896 Innbde32.exe 2588 Iainddpg.exe 1676 Idgjqook.exe 1528 Ihcfan32.exe 1888 Jkabmi32.exe 1744 Jidbifmb.exe 1796 Jakjjcnd.exe 2156 Jdjgfomh.exe 3064 Jghcbjll.exe 1688 Jjgonf32.exe 2964 Jpqgkpcl.exe 592 Jdlclo32.exe 2984 Jgkphj32.exe 2736 Jjilde32.exe 1104 Jlghpa32.exe 2476 Jgmlmj32.exe 2440 Jhniebne.exe 2348 Jpeafo32.exe 2180 Jcdmbk32.exe 2532 Jfbinf32.exe 2428 Jllakpdk.exe 1264 Jojnglco.exe 904 Jcfjhj32.exe 1976 Kfdfdf32.exe 1608 Khcbpa32.exe 2020 Klonqpbi.exe 2052 Knpkhhhg.exe 1632 Kheofahm.exe 264 Kkckblgq.exe 1544 Koogbk32.exe 2728 Kbncof32.exe 1928 Kdlpkb32.exe 2076 Knddcg32.exe 764 Kbppdfmk.exe 1532 Kdnlpaln.exe 2892 Kgmilmkb.exe 2352 Kjkehhjf.exe 2480 Kmjaddii.exe 1248 Kdqifajl.exe 972 Kccian32.exe 2220 Kfbemi32.exe 1648 Kjnanhhc.exe 1076 Lmlnjcgg.exe 2112 Lqgjkbop.exe 2864 Lcffgnnc.exe 2648 Lfdbcing.exe 1020 Liboodmk.exe -
Loads dropped DLL 64 IoCs
pid Process 1520 561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe 1520 561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe 3004 Hffjng32.exe 3004 Hffjng32.exe 2968 Heijidbn.exe 2968 Heijidbn.exe 2144 Hlcbfnjk.exe 2144 Hlcbfnjk.exe 1636 Ibmkbh32.exe 1636 Ibmkbh32.exe 2860 Iekgod32.exe 2860 Iekgod32.exe 2760 Ihjcko32.exe 2760 Ihjcko32.exe 2264 Iockhigl.exe 2264 Iockhigl.exe 2296 Iencdc32.exe 2296 Iencdc32.exe 2680 Ilhlan32.exe 2680 Ilhlan32.exe 2796 Iofhmi32.exe 2796 Iofhmi32.exe 2460 Ieppjclf.exe 2460 Ieppjclf.exe 2084 Idcqep32.exe 2084 Idcqep32.exe 2044 Iljifm32.exe 2044 Iljifm32.exe 1260 Ioheci32.exe 1260 Ioheci32.exe 2056 Iebmpcjc.exe 2056 Iebmpcjc.exe 2516 Idemkp32.exe 2516 Idemkp32.exe 1496 Ikoehj32.exe 1496 Ikoehj32.exe 896 Innbde32.exe 896 Innbde32.exe 2588 Iainddpg.exe 2588 Iainddpg.exe 1676 Idgjqook.exe 1676 Idgjqook.exe 1528 Ihcfan32.exe 1528 Ihcfan32.exe 1888 Jkabmi32.exe 1888 Jkabmi32.exe 1744 Jidbifmb.exe 1744 Jidbifmb.exe 1796 Jakjjcnd.exe 1796 Jakjjcnd.exe 2156 Jdjgfomh.exe 2156 Jdjgfomh.exe 3064 Jghcbjll.exe 3064 Jghcbjll.exe 1688 Jjgonf32.exe 1688 Jjgonf32.exe 2964 Jpqgkpcl.exe 2964 Jpqgkpcl.exe 592 Jdlclo32.exe 592 Jdlclo32.exe 2984 Jgkphj32.exe 2984 Jgkphj32.exe 2736 Jjilde32.exe 2736 Jjilde32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gbeaip32.exe Gkkilfjk.exe File opened for modification C:\Windows\SysWOW64\Doocln32.exe Dplbpaim.exe File created C:\Windows\SysWOW64\Iiqpab32.dll Hgmfjdbe.exe File created C:\Windows\SysWOW64\Ogpjmn32.exe Opebpdad.exe File opened for modification C:\Windows\SysWOW64\Mcghajkq.exe Mkpppmko.exe File opened for modification C:\Windows\SysWOW64\Henjnica.exe Hbpmbndm.exe File opened for modification C:\Windows\SysWOW64\Acbieing.exe Aogmdk32.exe File opened for modification C:\Windows\SysWOW64\Akpkok32.exe Ahancp32.exe File created C:\Windows\SysWOW64\Banndk32.dll Bqffna32.exe File created C:\Windows\SysWOW64\Gcljdpke.exe Gqmmhdka.exe File opened for modification C:\Windows\SysWOW64\Fnjiin32.exe Fcdele32.exe File opened for modification C:\Windows\SysWOW64\Gefjjk32.exe Gjqfmb32.exe File opened for modification C:\Windows\SysWOW64\Jkgelh32.exe Jlddpkgh.exe File created C:\Windows\SysWOW64\Bmjemnpm.dll Dlcceboa.exe File created C:\Windows\SysWOW64\Ajghbjhl.dll Ifkfap32.exe File opened for modification C:\Windows\SysWOW64\Pbnckg32.exe Pldknmhd.exe File opened for modification C:\Windows\SysWOW64\Jmmmbg32.exe Iefeaj32.exe File created C:\Windows\SysWOW64\Mchokq32.exe Majcoepi.exe File created C:\Windows\SysWOW64\Hajkip32.exe Hpinagbm.exe File opened for modification C:\Windows\SysWOW64\Gicpnhbb.exe Gfdcbmbn.exe File created C:\Windows\SysWOW64\Qcchheoq.dll Jilkbn32.exe File created C:\Windows\SysWOW64\Hhbmghna.dll Kdooij32.exe File opened for modification C:\Windows\SysWOW64\Mccaodgj.exe Mogene32.exe File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe Nbodpo32.exe File created C:\Windows\SysWOW64\Khggofme.dll Nnknqpgi.exe File created C:\Windows\SysWOW64\Idnppjcj.exe Imchcplm.exe File created C:\Windows\SysWOW64\Oeldjogm.dll Cbllph32.exe File opened for modification C:\Windows\SysWOW64\Edkahbmo.exe Eamdlf32.exe File created C:\Windows\SysWOW64\Iekbmfdc.exe Imdjlida.exe File opened for modification C:\Windows\SysWOW64\Keodflee.exe Kadhen32.exe File opened for modification C:\Windows\SysWOW64\Mkqbhf32.exe Mjofanld.exe File opened for modification C:\Windows\SysWOW64\Oebdndlp.exe Obcgaill.exe File opened for modification C:\Windows\SysWOW64\Njobpa32.exe Ncejcg32.exe File created C:\Windows\SysWOW64\Eoldfbid.dll Ieppjclf.exe File created C:\Windows\SysWOW64\Fgigok32.dll Idemkp32.exe File opened for modification C:\Windows\SysWOW64\Fcdele32.exe Fqfipj32.exe File created C:\Windows\SysWOW64\Bnnkcdka.dll Lqpiopdh.exe File opened for modification C:\Windows\SysWOW64\Mgnkfjho.exe Mogcelgm.exe File created C:\Windows\SysWOW64\Bhlgkakb.dll Opekenmh.exe File opened for modification C:\Windows\SysWOW64\Mjgqcj32.exe Mfkebkjk.exe File created C:\Windows\SysWOW64\Biolckgf.exe Bfppgohb.exe File opened for modification C:\Windows\SysWOW64\Oojhfj32.exe Ohppjpkc.exe File created C:\Windows\SysWOW64\Bbfibj32.exe Bphmfo32.exe File opened for modification C:\Windows\SysWOW64\Adhohapp.exe Abjcleqm.exe File opened for modification C:\Windows\SysWOW64\Ekpmad32.exe Eioaillo.exe File created C:\Windows\SysWOW64\Imkndofe.exe Ifqfge32.exe File opened for modification C:\Windows\SysWOW64\Ankhmncb.exe Aoihaa32.exe File opened for modification C:\Windows\SysWOW64\Claake32.exe Bcfmfc32.exe File created C:\Windows\SysWOW64\Klmfgnjo.dll Obcgaill.exe File created C:\Windows\SysWOW64\Ckajqo32.exe Cegbce32.exe File created C:\Windows\SysWOW64\Cgkanomj.exe Cemebcnf.exe File opened for modification C:\Windows\SysWOW64\Epbamc32.exe Eaoaafli.exe File opened for modification C:\Windows\SysWOW64\Oophlpag.exe Olalpdbc.exe File created C:\Windows\SysWOW64\Gednek32.exe Gbeaip32.exe File created C:\Windows\SysWOW64\Hbqdldhi.exe Hmdldmja.exe File opened for modification C:\Windows\SysWOW64\Mbhlgg32.exe Mpipkl32.exe File opened for modification C:\Windows\SysWOW64\Onbkle32.exe Ohhcokmp.exe File opened for modification C:\Windows\SysWOW64\Pmlngdhk.exe Pknakhig.exe File created C:\Windows\SysWOW64\Ggppdpif.exe Ghmohcbl.exe File created C:\Windows\SysWOW64\Mqgahh32.exe Mlkegimk.exe File created C:\Windows\SysWOW64\Nmihol32.dll Iainddpg.exe File created C:\Windows\SysWOW64\Jnlnid32.dll Kfbemi32.exe File created C:\Windows\SysWOW64\Mkqbhf32.exe Mjofanld.exe File created C:\Windows\SysWOW64\Mljnaocd.exe Leqeed32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1132 2212 WerFault.exe 1028 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmgbbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfjalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppmpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkghjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhbpfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokfqflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhljpmlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eganqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqeodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcncg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgphke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfdkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdpgqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhbjjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokofpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbckagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncpffdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omoehf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacqlcdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbnnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljkofkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdokceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkbfmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjiin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbghgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfiekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfipj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memncbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olalpdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denknngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodnfbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdapjglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjnnbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcgmpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahancp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcghajkq.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmgpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffinab32.dll" Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhabgpel.dll" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mljnaocd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfiaqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaieif32.dll" Agolpnjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kabobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpgdcke.dll" Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealleg32.dll" Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdffecqf.dll" Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbokqlp.dll" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akbgdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idchbb32.dll" Phbinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdciphb.dll" Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmiha32.dll" Cemebcnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncklnkp.dll" Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnend32.dll" Pgjfflkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nffcebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdbppi32.dll" Kknklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlgjjh32.dll" Gjnbmlmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gppoqa32.dll" Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicqkb32.dll" Knpkhhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boghbgla.dll" Nhcgkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmminemb.dll" Ejjdmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnifkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndkcnjj.dll" Gofajcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmapna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoddg32.dll" Fmofjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbiempj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkljfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okailkhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgmn32.dll" Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoijjjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebakdbbk.dll" Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnnhcknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biiqmd32.dll" Hkiknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkdfong.dll" Lohiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljpqlqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhapl32.dll" Noplmlok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noplmlok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doocln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnpeijla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 3004 1520 561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe 30 PID 1520 wrote to memory of 3004 1520 561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe 30 PID 1520 wrote to memory of 3004 1520 561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe 30 PID 1520 wrote to memory of 3004 1520 561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe 30 PID 3004 wrote to memory of 2968 3004 Hffjng32.exe 31 PID 3004 wrote to memory of 2968 3004 Hffjng32.exe 31 PID 3004 wrote to memory of 2968 3004 Hffjng32.exe 31 PID 3004 wrote to memory of 2968 3004 Hffjng32.exe 31 PID 2968 wrote to memory of 2144 2968 Heijidbn.exe 32 PID 2968 wrote to memory of 2144 2968 Heijidbn.exe 32 PID 2968 wrote to memory of 2144 2968 Heijidbn.exe 32 PID 2968 wrote to memory of 2144 2968 Heijidbn.exe 32 PID 2144 wrote to memory of 1636 2144 Hlcbfnjk.exe 33 PID 2144 wrote to memory of 1636 2144 Hlcbfnjk.exe 33 PID 2144 wrote to memory of 1636 2144 Hlcbfnjk.exe 33 PID 2144 wrote to memory of 1636 2144 Hlcbfnjk.exe 33 PID 1636 wrote to memory of 2860 1636 Ibmkbh32.exe 34 PID 1636 wrote to memory of 2860 1636 Ibmkbh32.exe 34 PID 1636 wrote to memory of 2860 1636 Ibmkbh32.exe 34 PID 1636 wrote to memory of 2860 1636 Ibmkbh32.exe 34 PID 2860 wrote to memory of 2760 2860 Iekgod32.exe 35 PID 2860 wrote to memory of 2760 2860 Iekgod32.exe 35 PID 2860 wrote to memory of 2760 2860 Iekgod32.exe 35 PID 2860 wrote to memory of 2760 2860 Iekgod32.exe 35 PID 2760 wrote to memory of 2264 2760 Ihjcko32.exe 36 PID 2760 wrote to memory of 2264 2760 Ihjcko32.exe 36 PID 2760 wrote to memory of 2264 2760 Ihjcko32.exe 36 PID 2760 wrote to memory of 2264 2760 Ihjcko32.exe 36 PID 2264 wrote to memory of 2296 2264 Iockhigl.exe 37 PID 2264 wrote to memory of 2296 2264 Iockhigl.exe 37 PID 2264 wrote to memory of 2296 2264 Iockhigl.exe 37 PID 2264 wrote to memory of 2296 2264 Iockhigl.exe 37 PID 2296 wrote to memory of 2680 2296 Iencdc32.exe 38 PID 2296 wrote to memory of 2680 2296 Iencdc32.exe 38 PID 2296 wrote to memory of 2680 2296 Iencdc32.exe 38 PID 2296 wrote to memory of 2680 2296 Iencdc32.exe 38 PID 2680 wrote to memory of 2796 2680 Ilhlan32.exe 39 PID 2680 wrote to memory of 2796 2680 Ilhlan32.exe 39 PID 2680 wrote to memory of 2796 2680 Ilhlan32.exe 39 PID 2680 wrote to memory of 2796 2680 Ilhlan32.exe 39 PID 2796 wrote to memory of 2460 2796 Iofhmi32.exe 40 PID 2796 wrote to memory of 2460 2796 Iofhmi32.exe 40 PID 2796 wrote to memory of 2460 2796 Iofhmi32.exe 40 PID 2796 wrote to memory of 2460 2796 Iofhmi32.exe 40 PID 2460 wrote to memory of 2084 2460 Ieppjclf.exe 41 PID 2460 wrote to memory of 2084 2460 Ieppjclf.exe 41 PID 2460 wrote to memory of 2084 2460 Ieppjclf.exe 41 PID 2460 wrote to memory of 2084 2460 Ieppjclf.exe 41 PID 2084 wrote to memory of 2044 2084 Idcqep32.exe 42 PID 2084 wrote to memory of 2044 2084 Idcqep32.exe 42 PID 2084 wrote to memory of 2044 2084 Idcqep32.exe 42 PID 2084 wrote to memory of 2044 2084 Idcqep32.exe 42 PID 2044 wrote to memory of 1260 2044 Iljifm32.exe 43 PID 2044 wrote to memory of 1260 2044 Iljifm32.exe 43 PID 2044 wrote to memory of 1260 2044 Iljifm32.exe 43 PID 2044 wrote to memory of 1260 2044 Iljifm32.exe 43 PID 1260 wrote to memory of 2056 1260 Ioheci32.exe 44 PID 1260 wrote to memory of 2056 1260 Ioheci32.exe 44 PID 1260 wrote to memory of 2056 1260 Ioheci32.exe 44 PID 1260 wrote to memory of 2056 1260 Ioheci32.exe 44 PID 2056 wrote to memory of 2516 2056 Iebmpcjc.exe 45 PID 2056 wrote to memory of 2516 2056 Iebmpcjc.exe 45 PID 2056 wrote to memory of 2516 2056 Iebmpcjc.exe 45 PID 2056 wrote to memory of 2516 2056 Iebmpcjc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe"C:\Users\Admin\AppData\Local\Temp\561d08b91c4c4d0b4ee3f9d60ddb3d01c7ed5423073307678a70824ca7e08f94.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Idemkp32.exeC:\Windows\system32\Idemkp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Innbde32.exeC:\Windows\system32\Innbde32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe33⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe35⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe36⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe37⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe38⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe42⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe43⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe44⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe46⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe47⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe50⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe51⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe52⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe53⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kgmilmkb.exeC:\Windows\system32\Kgmilmkb.exe54⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe55⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe56⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe57⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe58⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe60⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe62⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe63⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe65⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe66⤵PID:852
-
C:\Windows\SysWOW64\Lomglo32.exeC:\Windows\system32\Lomglo32.exe67⤵PID:1212
-
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe68⤵PID:2256
-
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe70⤵PID:2116
-
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe71⤵PID:2784
-
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe72⤵PID:576
-
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe74⤵PID:2712
-
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe75⤵PID:2556
-
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe77⤵PID:2188
-
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe79⤵PID:2540
-
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe80⤵PID:1968
-
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe81⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe82⤵PID:1400
-
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe83⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe84⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe85⤵PID:2908
-
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe86⤵PID:2948
-
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe87⤵PID:332
-
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe88⤵PID:1460
-
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe89⤵PID:1664
-
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe90⤵PID:2444
-
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe91⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe92⤵PID:1416
-
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe93⤵PID:1896
-
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe95⤵PID:2876
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe96⤵PID:2848
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe97⤵PID:1612
-
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe98⤵PID:2380
-
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe99⤵PID:2456
-
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe100⤵PID:2340
-
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe101⤵PID:1600
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe102⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe103⤵PID:2100
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe104⤵
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe105⤵PID:2528
-
C:\Windows\SysWOW64\Ndoelpid.exeC:\Windows\system32\Ndoelpid.exe106⤵PID:2936
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe107⤵PID:1396
-
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe108⤵PID:2140
-
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe110⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe111⤵PID:3032
-
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe112⤵PID:2268
-
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe113⤵PID:344
-
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe114⤵PID:1804
-
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe115⤵PID:1980
-
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe116⤵PID:2696
-
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe117⤵PID:2768
-
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe118⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Nkbcgnie.exeC:\Windows\system32\Nkbcgnie.exe119⤵PID:776
-
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe121⤵PID:2136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-