Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 21:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe
-
Size
91KB
-
MD5
6aa34fa2423c0a883225df8eacae96df
-
SHA1
cad761980d2479fc7786f57e6a38a5624d9e0fb6
-
SHA256
56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3
-
SHA512
82c3bbd212b95d9f3b84ff6609f048ab347b07c92364697639aa53d8a2abcfdd72e3d94aa8009e4c1eeec6e10c5bb2a1e1ca9ecc1eabf456b9ff81568e55cc32
-
SSDEEP
1536:44/oQEs+Jq/ejJkn75lp3RlrpbXPYhFZ8oBt/wbDWo7VXWYr/viVMi:4o+YejJkn7hRlZXgfZ8uCPWimo/vOMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkomchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgffhkoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emagacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhhdnlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggdejno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgingm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnocipg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmjaohol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffmkfifa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdmjamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baigca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiepea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagpdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnalad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcqaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bleeioil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iecdhm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2792 Daejhjkj.exe 2752 Dnlkmkpn.exe 2728 Dciceaoe.exe 2608 Ddhpod32.exe 2252 Ejehgkdp.exe 880 Ecnmpa32.exe 340 Ehjehh32.exe 1316 Ebcjamoh.exe 2296 Elhnof32.exe 2776 Edccch32.exe 2820 Enlglnci.exe 2112 Edfpih32.exe 108 Fbjpblip.exe 1236 Fidhof32.exe 2292 Fdjidgfa.exe 1652 Fkdaqa32.exe 840 Fcpfedki.exe 1188 Fnejbmko.exe 2552 Fpffje32.exe 1096 Ffqofohj.exe 1904 Fcdopc32.exe 1708 Gjngmmnp.exe 1280 Gmmdiind.exe 1920 Gfehan32.exe 1992 Gejebk32.exe 1580 Gldmoepi.exe 3028 Gihniioc.exe 2856 Gjijqa32.exe 2604 Gnefapmj.exe 2044 Gligjd32.exe 984 Hhpgpebh.exe 2936 Hnjplo32.exe 2076 Hahlhkhi.exe 2980 Hjqqap32.exe 2972 Hmomml32.exe 2656 Hbleeb32.exe 2808 Hbnbkbja.exe 1148 Helngnie.exe 2336 Hlffdh32.exe 2480 Ihmgiiff.exe 2412 Iogoec32.exe 2548 Ieagbm32.exe 2124 Iecdhm32.exe 1624 Ihbqdh32.exe 3036 Ikpmpc32.exe 2464 Imoilo32.exe 1048 Iajemnia.exe 1924 Ihdmihpn.exe 2220 Ikbifcpb.exe 2784 Inafbooe.exe 2440 Ippbnjni.exe 2864 Igijkd32.exe 2652 Iihfgp32.exe 700 Ipbocjlg.exe 2188 Jliohkak.exe 1848 Jcbhee32.exe 3004 Jeadap32.exe 3012 Jpfhoi32.exe 1432 Joihjfnl.exe 2120 Jfcqgpfi.exe 3024 Jpiedieo.exe 2444 Jcgapdeb.exe 836 Jfemlpdf.exe 2992 Jlpeij32.exe -
Loads dropped DLL 64 IoCs
pid Process 2724 56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe 2724 56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe 2792 Daejhjkj.exe 2792 Daejhjkj.exe 2752 Dnlkmkpn.exe 2752 Dnlkmkpn.exe 2728 Dciceaoe.exe 2728 Dciceaoe.exe 2608 Ddhpod32.exe 2608 Ddhpod32.exe 2252 Ejehgkdp.exe 2252 Ejehgkdp.exe 880 Ecnmpa32.exe 880 Ecnmpa32.exe 340 Ehjehh32.exe 340 Ehjehh32.exe 1316 Ebcjamoh.exe 1316 Ebcjamoh.exe 2296 Elhnof32.exe 2296 Elhnof32.exe 2776 Edccch32.exe 2776 Edccch32.exe 2820 Enlglnci.exe 2820 Enlglnci.exe 2112 Edfpih32.exe 2112 Edfpih32.exe 108 Fbjpblip.exe 108 Fbjpblip.exe 1236 Fidhof32.exe 1236 Fidhof32.exe 2292 Fdjidgfa.exe 2292 Fdjidgfa.exe 1652 Fkdaqa32.exe 1652 Fkdaqa32.exe 840 Fcpfedki.exe 840 Fcpfedki.exe 1188 Fnejbmko.exe 1188 Fnejbmko.exe 2552 Fpffje32.exe 2552 Fpffje32.exe 1096 Ffqofohj.exe 1096 Ffqofohj.exe 1904 Fcdopc32.exe 1904 Fcdopc32.exe 1708 Gjngmmnp.exe 1708 Gjngmmnp.exe 1280 Gmmdiind.exe 1280 Gmmdiind.exe 1920 Gfehan32.exe 1920 Gfehan32.exe 1992 Gejebk32.exe 1992 Gejebk32.exe 1580 Gldmoepi.exe 1580 Gldmoepi.exe 3028 Gihniioc.exe 3028 Gihniioc.exe 2856 Gjijqa32.exe 2856 Gjijqa32.exe 2604 Gnefapmj.exe 2604 Gnefapmj.exe 2044 Gligjd32.exe 2044 Gligjd32.exe 984 Hhpgpebh.exe 984 Hhpgpebh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpclqkhh.dll Abhkfg32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Hegpjaac.exe Hmlkfo32.exe File created C:\Windows\SysWOW64\Ipfpae32.dll Process not Found File created C:\Windows\SysWOW64\Djihcnji.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dekdikhc.exe Process not Found File created C:\Windows\SysWOW64\Ongcaafk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Ldbofgme.exe File opened for modification C:\Windows\SysWOW64\Nmflee32.exe Nflchkii.exe File created C:\Windows\SysWOW64\Aqjdgmgd.exe Anlhkbhq.exe File opened for modification C:\Windows\SysWOW64\Dljmlj32.exe Dmgmpnhl.exe File opened for modification C:\Windows\SysWOW64\Iejiodbl.exe Ifgicg32.exe File created C:\Windows\SysWOW64\Kfaalh32.exe Process not Found File created C:\Windows\SysWOW64\Lgehno32.exe Lonpma32.exe File created C:\Windows\SysWOW64\Nppofado.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Process not Found File created C:\Windows\SysWOW64\Iocgfhhc.exe Process not Found File created C:\Windows\SysWOW64\Iecdhm32.exe Ieagbm32.exe File opened for modification C:\Windows\SysWOW64\Imleli32.exe Ifampo32.exe File created C:\Windows\SysWOW64\Qmfpeb32.dll Fqalaa32.exe File created C:\Windows\SysWOW64\Qkdhopfa.dll Jkchmo32.exe File opened for modification C:\Windows\SysWOW64\Ggagmjbq.exe Gdcjpncm.exe File created C:\Windows\SysWOW64\Mappnp32.dll Nmflee32.exe File created C:\Windows\SysWOW64\Khoqme32.dll Allefimb.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Mbhjlbbh.exe Ljabkeaf.exe File created C:\Windows\SysWOW64\Fdnolfon.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Ljkaeo32.exe Lcaiiejc.exe File opened for modification C:\Windows\SysWOW64\Idicbbpi.exe Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jfofol32.exe File opened for modification C:\Windows\SysWOW64\Kddomchg.exe Klngkfge.exe File created C:\Windows\SysWOW64\Clgbno32.exe Cemjae32.exe File created C:\Windows\SysWOW64\Qaipli32.dll Olkfmi32.exe File created C:\Windows\SysWOW64\Ohjeop32.dll Anjlebjc.exe File created C:\Windows\SysWOW64\Fkdhkd32.dll Pmmeon32.exe File created C:\Windows\SysWOW64\Lmjcge32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mbchni32.exe Mnglnj32.exe File created C:\Windows\SysWOW64\Bgcmiq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Abkhkgbb.exe Aollokco.exe File created C:\Windows\SysWOW64\Bbjdjjdn.exe Baigca32.exe File created C:\Windows\SysWOW64\Kpcqnf32.exe Kjihalag.exe File created C:\Windows\SysWOW64\Nplimbka.exe Nlqmmd32.exe File created C:\Windows\SysWOW64\Objaha32.exe Oplelf32.exe File created C:\Windows\SysWOW64\Ajmijmnn.exe Accqnc32.exe File created C:\Windows\SysWOW64\Gedjkeaj.dll Ihniaa32.exe File created C:\Windows\SysWOW64\Emdmjamj.exe Eoblnd32.exe File created C:\Windows\SysWOW64\Epbbkf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Pkcbnanl.exe Pdjjag32.exe File created C:\Windows\SysWOW64\Djocbqpb.exe Process not Found File created C:\Windows\SysWOW64\Bigimdjh.exe Bbmapj32.exe File opened for modification C:\Windows\SysWOW64\Ihmpobck.exe Iabhah32.exe File created C:\Windows\SysWOW64\Hadlijdb.dll Clpabm32.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Obmnna32.exe File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olmela32.exe Ohbikbkb.exe File created C:\Windows\SysWOW64\Cmjdaqgi.exe Cjlheehe.exe File created C:\Windows\SysWOW64\Cnkdfakf.dll Ebklic32.exe File created C:\Windows\SysWOW64\Flclam32.exe Fiepea32.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Andgop32.exe File created C:\Windows\SysWOW64\Mbkpeake.exe Mpmcielb.exe File created C:\Windows\SysWOW64\Oopijc32.exe Okdmjdol.exe File opened for modification C:\Windows\SysWOW64\Phhjblpa.exe Pejmfqan.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4816 3152 Process not Found 1265 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljieppcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naalga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbeofpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljghjpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqnlhpfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkhkgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkpdfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbncjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipomlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npaich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkomchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edccch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfbfjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieigfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciceaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmibgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqofohj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagpdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feafacjb.dll" Kfbfkmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afffenbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noogpfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfmdj32.dll" Pcaepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kglcogeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll" Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdghpph.dll" Pahogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjplo32.dll" Bbjdjjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dljmlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flclam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggagmjbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imoilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiijc32.dll" Mamgmofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfkhk32.dll" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmolfok.dll" Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecpel32.dll" Pddnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lomgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokhie32.dll" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfndckhj.dll" Daejhjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmjq32.dll" Cepfgdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheocfji.dll" Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkndb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqgacgg.dll" Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noogpfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadacpgf.dll" Ckahkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjohojml.dll" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pecgea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keclgbfi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aigmnqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjfcpo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2792 2724 56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe 30 PID 2724 wrote to memory of 2792 2724 56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe 30 PID 2724 wrote to memory of 2792 2724 56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe 30 PID 2724 wrote to memory of 2792 2724 56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe 30 PID 2792 wrote to memory of 2752 2792 Daejhjkj.exe 31 PID 2792 wrote to memory of 2752 2792 Daejhjkj.exe 31 PID 2792 wrote to memory of 2752 2792 Daejhjkj.exe 31 PID 2792 wrote to memory of 2752 2792 Daejhjkj.exe 31 PID 2752 wrote to memory of 2728 2752 Dnlkmkpn.exe 32 PID 2752 wrote to memory of 2728 2752 Dnlkmkpn.exe 32 PID 2752 wrote to memory of 2728 2752 Dnlkmkpn.exe 32 PID 2752 wrote to memory of 2728 2752 Dnlkmkpn.exe 32 PID 2728 wrote to memory of 2608 2728 Dciceaoe.exe 33 PID 2728 wrote to memory of 2608 2728 Dciceaoe.exe 33 PID 2728 wrote to memory of 2608 2728 Dciceaoe.exe 33 PID 2728 wrote to memory of 2608 2728 Dciceaoe.exe 33 PID 2608 wrote to memory of 2252 2608 Ddhpod32.exe 34 PID 2608 wrote to memory of 2252 2608 Ddhpod32.exe 34 PID 2608 wrote to memory of 2252 2608 Ddhpod32.exe 34 PID 2608 wrote to memory of 2252 2608 Ddhpod32.exe 34 PID 2252 wrote to memory of 880 2252 Ejehgkdp.exe 35 PID 2252 wrote to memory of 880 2252 Ejehgkdp.exe 35 PID 2252 wrote to memory of 880 2252 Ejehgkdp.exe 35 PID 2252 wrote to memory of 880 2252 Ejehgkdp.exe 35 PID 880 wrote to memory of 340 880 Ecnmpa32.exe 36 PID 880 wrote to memory of 340 880 Ecnmpa32.exe 36 PID 880 wrote to memory of 340 880 Ecnmpa32.exe 36 PID 880 wrote to memory of 340 880 Ecnmpa32.exe 36 PID 340 wrote to memory of 1316 340 Ehjehh32.exe 37 PID 340 wrote to memory of 1316 340 Ehjehh32.exe 37 PID 340 wrote to memory of 1316 340 Ehjehh32.exe 37 PID 340 wrote to memory of 1316 340 Ehjehh32.exe 37 PID 1316 wrote to memory of 2296 1316 Ebcjamoh.exe 38 PID 1316 wrote to memory of 2296 1316 Ebcjamoh.exe 38 PID 1316 wrote to memory of 2296 1316 Ebcjamoh.exe 38 PID 1316 wrote to memory of 2296 1316 Ebcjamoh.exe 38 PID 2296 wrote to memory of 2776 2296 Elhnof32.exe 39 PID 2296 wrote to memory of 2776 2296 Elhnof32.exe 39 PID 2296 wrote to memory of 2776 2296 Elhnof32.exe 39 PID 2296 wrote to memory of 2776 2296 Elhnof32.exe 39 PID 2776 wrote to memory of 2820 2776 Edccch32.exe 40 PID 2776 wrote to memory of 2820 2776 Edccch32.exe 40 PID 2776 wrote to memory of 2820 2776 Edccch32.exe 40 PID 2776 wrote to memory of 2820 2776 Edccch32.exe 40 PID 2820 wrote to memory of 2112 2820 Enlglnci.exe 41 PID 2820 wrote to memory of 2112 2820 Enlglnci.exe 41 PID 2820 wrote to memory of 2112 2820 Enlglnci.exe 41 PID 2820 wrote to memory of 2112 2820 Enlglnci.exe 41 PID 2112 wrote to memory of 108 2112 Edfpih32.exe 42 PID 2112 wrote to memory of 108 2112 Edfpih32.exe 42 PID 2112 wrote to memory of 108 2112 Edfpih32.exe 42 PID 2112 wrote to memory of 108 2112 Edfpih32.exe 42 PID 108 wrote to memory of 1236 108 Fbjpblip.exe 43 PID 108 wrote to memory of 1236 108 Fbjpblip.exe 43 PID 108 wrote to memory of 1236 108 Fbjpblip.exe 43 PID 108 wrote to memory of 1236 108 Fbjpblip.exe 43 PID 1236 wrote to memory of 2292 1236 Fidhof32.exe 44 PID 1236 wrote to memory of 2292 1236 Fidhof32.exe 44 PID 1236 wrote to memory of 2292 1236 Fidhof32.exe 44 PID 1236 wrote to memory of 2292 1236 Fidhof32.exe 44 PID 2292 wrote to memory of 1652 2292 Fdjidgfa.exe 45 PID 2292 wrote to memory of 1652 2292 Fdjidgfa.exe 45 PID 2292 wrote to memory of 1652 2292 Fdjidgfa.exe 45 PID 2292 wrote to memory of 1652 2292 Fdjidgfa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe"C:\Users\Admin\AppData\Local\Temp\56ed1c743b0afb3326364c116bc72b631935c63f298c8f2b9f458963f15855a3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe33⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe34⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe35⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe36⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe38⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe39⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe40⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe41⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe42⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe45⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe48⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe49⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe50⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe51⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe52⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe53⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe54⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe55⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe56⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe57⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe58⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe59⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe60⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe61⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe62⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe63⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe64⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe65⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe66⤵PID:1760
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe67⤵PID:1584
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe68⤵PID:828
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe69⤵PID:2524
-
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe70⤵
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe71⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe73⤵PID:2660
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe74⤵PID:536
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe75⤵PID:1656
-
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe76⤵PID:2152
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe77⤵PID:2960
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe78⤵PID:2804
-
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe79⤵PID:336
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe80⤵PID:2452
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe81⤵PID:2268
-
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe83⤵PID:764
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe84⤵PID:2240
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe85⤵PID:1928
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe86⤵PID:1304
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe87⤵PID:2896
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe88⤵PID:2200
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe89⤵PID:544
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe90⤵PID:856
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe91⤵PID:3016
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe92⤵PID:2828
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe93⤵PID:1492
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe94⤵PID:2256
-
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe95⤵PID:2204
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe96⤵PID:1080
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe97⤵PID:2436
-
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe98⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe99⤵PID:2396
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe100⤵PID:2732
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe101⤵PID:2840
-
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe102⤵PID:2644
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe103⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe104⤵PID:1728
-
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe105⤵PID:2928
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe106⤵PID:2576
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe107⤵PID:2816
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe108⤵PID:2484
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe109⤵PID:2156
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe110⤵PID:1700
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe111⤵PID:2140
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe112⤵PID:2476
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe113⤵PID:1576
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe114⤵PID:2304
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe115⤵PID:1608
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe116⤵PID:2984
-
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe117⤵PID:1940
-
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe118⤵PID:2272
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe119⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe120⤵PID:1356
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe121⤵PID:2420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-