Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 23:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe
-
Size
79KB
-
MD5
2b352af1c4e2463a929bd941f394f5a7
-
SHA1
a3f26ef45db22b8fe25d1307fc1ef7820f2dd95e
-
SHA256
957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14
-
SHA512
1e94ae39b0e4ea55606b135ee42bb17949fbd58ef0aca65b4437cca352cd6af9a14c8cf4d08ae804b9add1e7469c8f7903f0f54b5d686c18fd6d814582a36648
-
SSDEEP
1536:xeoDyW+Mam4JEIUE8KiFkSIgiItKq9v6DK:4oDyWomrIUEnixtBtKq9vV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apheke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofhqiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclbkjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmnfajm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmkhmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeeadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcaeghc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanenoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobgah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedjib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfliqmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caomgjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnohmog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgklma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injlmcib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmicnhob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpijgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeknakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlidplcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmccnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmbmkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghjjoeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfqejoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpjfkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddlcgjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefdhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckboba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpldjajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjleq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgpjdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeeeeehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clehoiam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdqbbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkoagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enajgllm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcjqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhgaqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdghi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnjlfam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkkhfmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioonfaed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeeeeehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clehoiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekiaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mafmhcam.exe -
Executes dropped EXE 64 IoCs
pid Process 2284 Ebjfiboe.exe 2872 Eckcak32.exe 2088 Ejeknelp.exe 2932 Eekpknlf.exe 2752 Ejhhcdjm.exe 884 Fdpmljan.exe 456 Fimedaoe.exe 960 Ffaeneno.exe 2528 Fpijgk32.exe 1736 Fefboabg.exe 2984 Fplgljbm.exe 1972 Fhgkqmph.exe 2324 Fblpnepn.exe 2244 Gledgkfn.exe 1404 Ghlell32.exe 1228 Gepeep32.exe 2908 Gohjnf32.exe 1680 Ghpngkhm.exe 1536 Giakoc32.exe 3000 Ggekhhle.exe 924 Gnocdb32.exe 2124 Hekhid32.exe 1268 Hgjdcghp.exe 1648 Hkljljko.exe 3064 Hhpjfoji.exe 2744 Hnmcne32.exe 1604 Idihponj.exe 2784 Ijfpif32.exe 2768 Idkdfo32.exe 2280 Ijhmnf32.exe 2804 Ifajif32.exe 2596 Iqgofo32.exe 1712 Jibcja32.exe 1828 Jchhhjjg.exe 2708 Jkcllmhb.exe 2020 Jkgfgl32.exe 432 Jepjpajn.exe 1664 Jjmchhhe.exe 2820 Kjopnh32.exe 976 Kplhfo32.exe 1560 Kcjqlm32.exe 2312 Kigidd32.exe 2352 Kfkjnh32.exe 708 Likbpceb.exe 1748 Lbdghi32.exe 1540 Lojhmjag.exe 2084 Ledpjdid.exe 1408 Lomdcj32.exe 1292 Lakqoe32.exe 2332 Looahi32.exe 1596 Mdlfpcnd.exe 2808 Ndnbeclb.exe 2760 Nkhkbmco.exe 1688 Nabcog32.exe 2632 Ngolgn32.exe 3032 Nnidchqp.exe 236 Ndclpb32.exe 2888 Njpdiifd.exe 852 Nchiao32.exe 2520 Nffenj32.exe 2268 Nlpmjdce.exe 2540 Ofibcj32.exe 2724 Ombjpd32.exe 2536 Ocmbmnio.exe -
Loads dropped DLL 64 IoCs
pid Process 2052 957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe 2052 957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe 2284 Ebjfiboe.exe 2284 Ebjfiboe.exe 2872 Eckcak32.exe 2872 Eckcak32.exe 2088 Ejeknelp.exe 2088 Ejeknelp.exe 2932 Eekpknlf.exe 2932 Eekpknlf.exe 2752 Ejhhcdjm.exe 2752 Ejhhcdjm.exe 884 Fdpmljan.exe 884 Fdpmljan.exe 456 Fimedaoe.exe 456 Fimedaoe.exe 960 Ffaeneno.exe 960 Ffaeneno.exe 2528 Fpijgk32.exe 2528 Fpijgk32.exe 1736 Fefboabg.exe 1736 Fefboabg.exe 2984 Fplgljbm.exe 2984 Fplgljbm.exe 1972 Fhgkqmph.exe 1972 Fhgkqmph.exe 2324 Fblpnepn.exe 2324 Fblpnepn.exe 2244 Gledgkfn.exe 2244 Gledgkfn.exe 1404 Ghlell32.exe 1404 Ghlell32.exe 1228 Gepeep32.exe 1228 Gepeep32.exe 2908 Gohjnf32.exe 2908 Gohjnf32.exe 1680 Ghpngkhm.exe 1680 Ghpngkhm.exe 1536 Giakoc32.exe 1536 Giakoc32.exe 3000 Ggekhhle.exe 3000 Ggekhhle.exe 924 Gnocdb32.exe 924 Gnocdb32.exe 2124 Hekhid32.exe 2124 Hekhid32.exe 1268 Hgjdcghp.exe 1268 Hgjdcghp.exe 1648 Hkljljko.exe 1648 Hkljljko.exe 3064 Hhpjfoji.exe 3064 Hhpjfoji.exe 2744 Hnmcne32.exe 2744 Hnmcne32.exe 1604 Idihponj.exe 1604 Idihponj.exe 2784 Ijfpif32.exe 2784 Ijfpif32.exe 2768 Idkdfo32.exe 2768 Idkdfo32.exe 2280 Ijhmnf32.exe 2280 Ijhmnf32.exe 2804 Ifajif32.exe 2804 Ifajif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cgnbepjp.exe Cemfnh32.exe File created C:\Windows\SysWOW64\Cnhjbjam.exe Cgnbepjp.exe File created C:\Windows\SysWOW64\Eckcak32.exe Ebjfiboe.exe File created C:\Windows\SysWOW64\Kplhfo32.exe Kjopnh32.exe File created C:\Windows\SysWOW64\Dndahokk.exe Dgkike32.exe File created C:\Windows\SysWOW64\Nhfpjili.dll Geehcoaf.exe File created C:\Windows\SysWOW64\Pfjdmggb.exe Onacgf32.exe File opened for modification C:\Windows\SysWOW64\Algida32.exe Acldpojj.exe File created C:\Windows\SysWOW64\Ejeknelp.exe Eckcak32.exe File created C:\Windows\SysWOW64\Qnmfmoaa.exe Qeeadi32.exe File created C:\Windows\SysWOW64\Bpgjob32.exe Bimbbhgh.exe File created C:\Windows\SysWOW64\Ekqqea32.exe Eqklhh32.exe File created C:\Windows\SysWOW64\Jbcibnmm.dll Hfjglppd.exe File created C:\Windows\SysWOW64\Idmkjp32.dll Lbdghi32.exe File opened for modification C:\Windows\SysWOW64\Nkhkbmco.exe Ndnbeclb.exe File opened for modification C:\Windows\SysWOW64\Panboflg.exe Pjdjbl32.exe File created C:\Windows\SysWOW64\Eolegi32.dll Bimbbhgh.exe File opened for modification C:\Windows\SysWOW64\Glgcec32.exe Genkhidc.exe File opened for modification C:\Windows\SysWOW64\Jhgonj32.exe Jcjffc32.exe File opened for modification C:\Windows\SysWOW64\Ejeknelp.exe Eckcak32.exe File created C:\Windows\SysWOW64\Eqjjhn32.dll Hgnjlfam.exe File created C:\Windows\SysWOW64\Eoefea32.exe Dhknigfq.exe File opened for modification C:\Windows\SysWOW64\Fndfmljk.exe Edkbdf32.exe File created C:\Windows\SysWOW64\Okhgaqfj.exe Ofkoijhc.exe File created C:\Windows\SysWOW64\Onacgf32.exe Nefncd32.exe File created C:\Windows\SysWOW64\Qeaeeg32.dll Ippkni32.exe File created C:\Windows\SysWOW64\Pifmaooo.dll Ggekhhle.exe File created C:\Windows\SysWOW64\Kkggja32.dll Ijfpif32.exe File created C:\Windows\SysWOW64\Icdcpb32.dll Eoefea32.exe File created C:\Windows\SysWOW64\Kehcdieo.dll Pcahga32.exe File opened for modification C:\Windows\SysWOW64\Gnaffpoi.exe Fidmniqa.exe File created C:\Windows\SysWOW64\Obbdgajq.dll Ghndjd32.exe File created C:\Windows\SysWOW64\Oeakle32.dll Hiichkog.exe File created C:\Windows\SysWOW64\Belecp32.dll Lmondpbc.exe File opened for modification C:\Windows\SysWOW64\Mafmhcam.exe Mlidplcf.exe File created C:\Windows\SysWOW64\Jchhhjjg.exe Jibcja32.exe File opened for modification C:\Windows\SysWOW64\Aagadh32.exe Ajmihn32.exe File created C:\Windows\SysWOW64\Cpogjh32.exe Ckboba32.exe File opened for modification C:\Windows\SysWOW64\Eqhfoj32.exe Ejnnbpol.exe File created C:\Windows\SysWOW64\Kfnpgg32.exe Kmeknakn.exe File opened for modification C:\Windows\SysWOW64\Lmondpbc.exe Lbijgg32.exe File created C:\Windows\SysWOW64\Hbdmij32.dll Lojhmjag.exe File created C:\Windows\SysWOW64\Iegaha32.exe Ipkhpk32.exe File created C:\Windows\SysWOW64\Fddfbm32.dll Efoobkej.exe File opened for modification C:\Windows\SysWOW64\Hekhid32.exe Gnocdb32.exe File created C:\Windows\SysWOW64\Lagomagp.dll Apheke32.exe File created C:\Windows\SysWOW64\Ncbilimn.exe Nijdcdgn.exe File created C:\Windows\SysWOW64\Ddbbod32.exe Cnhjbjam.exe File created C:\Windows\SysWOW64\Enajgllm.exe Eggajb32.exe File opened for modification C:\Windows\SysWOW64\Hpnbjfjj.exe Hmpemkkf.exe File opened for modification C:\Windows\SysWOW64\Qpmbgaid.exe Qibjjgag.exe File created C:\Windows\SysWOW64\Jafnpd32.dll Andlmnki.exe File created C:\Windows\SysWOW64\Jmneon32.dll Aagadh32.exe File created C:\Windows\SysWOW64\Engnno32.exe Ekiaac32.exe File created C:\Windows\SysWOW64\Fdfihk32.dll Fjbdmbmb.exe File created C:\Windows\SysWOW64\Eojpqpih.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Kkmnmd32.dll Hfmcapna.exe File created C:\Windows\SysWOW64\Blnkmm32.dll Injlmcib.exe File opened for modification C:\Windows\SysWOW64\Kmjhjndm.exe Jofhqiec.exe File created C:\Windows\SysWOW64\Edkbdf32.exe Enajgllm.exe File created C:\Windows\SysWOW64\Gmmihk32.exe Gjomlp32.exe File created C:\Windows\SysWOW64\Jkgfgl32.exe Jkcllmhb.exe File created C:\Windows\SysWOW64\Naohim32.dll Qeeadi32.exe File created C:\Windows\SysWOW64\Paejod32.dll Ddbbod32.exe -
Program crash 1 IoCs
pid pid_target Process 5064 3108 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbeqjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlfpcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhmki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eligoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpjfoji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlpmjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhjpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifljcanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjdmggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhjbjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkoikcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnohmog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckboba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnbdlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfqejoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclbkjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Looahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echpaecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkoagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gledgkfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgebfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekhid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkdfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obfiijia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmkhmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekiaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnlba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blcokf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chccfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Algida32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdjbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Choejien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjdia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmklbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefboabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benpik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknlfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmicnhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjopnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeeeeehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkagc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laccdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpijgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhkbmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeommfnf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbqhmkhq.dll" Djnbdlla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iodolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndif32.dll" Ikfokb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghlell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggekhhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfdlmpf.dll" Hekhid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahmj32.dll" Hkoikcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjopnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caomgjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obfiijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepeng32.dll" Ckoblapc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbbbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejgkg32.dll" Idcdjmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmojcceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nahemf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkcllmhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqqqokla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchladlp.dll" Cnhjbjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjomlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pinqoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aanonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgichoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beignlig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolcmd32.dll" Nnidchqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jflfbdqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedbbm32.dll" Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khookdof.dll" Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehmda32.dll" Iebmaoed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfjkcad.dll" Lomdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caomgjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdedcim.dll" Cgnbepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhpjfoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqakompl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qedjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmklbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfaqm32.dll" Gpihog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgkqmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcghffen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clapna32.dll" Ofmknifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hincna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kehidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooiml32.dll" Fjdqbbkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqmadn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcjqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmij32.dll" Lojhmjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoblapc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobgah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiichkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadcae32.dll" Ofibcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmooblli.dll" Ccmcfc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2284 2052 957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe 29 PID 2052 wrote to memory of 2284 2052 957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe 29 PID 2052 wrote to memory of 2284 2052 957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe 29 PID 2052 wrote to memory of 2284 2052 957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe 29 PID 2284 wrote to memory of 2872 2284 Ebjfiboe.exe 30 PID 2284 wrote to memory of 2872 2284 Ebjfiboe.exe 30 PID 2284 wrote to memory of 2872 2284 Ebjfiboe.exe 30 PID 2284 wrote to memory of 2872 2284 Ebjfiboe.exe 30 PID 2872 wrote to memory of 2088 2872 Eckcak32.exe 31 PID 2872 wrote to memory of 2088 2872 Eckcak32.exe 31 PID 2872 wrote to memory of 2088 2872 Eckcak32.exe 31 PID 2872 wrote to memory of 2088 2872 Eckcak32.exe 31 PID 2088 wrote to memory of 2932 2088 Ejeknelp.exe 32 PID 2088 wrote to memory of 2932 2088 Ejeknelp.exe 32 PID 2088 wrote to memory of 2932 2088 Ejeknelp.exe 32 PID 2088 wrote to memory of 2932 2088 Ejeknelp.exe 32 PID 2932 wrote to memory of 2752 2932 Eekpknlf.exe 33 PID 2932 wrote to memory of 2752 2932 Eekpknlf.exe 33 PID 2932 wrote to memory of 2752 2932 Eekpknlf.exe 33 PID 2932 wrote to memory of 2752 2932 Eekpknlf.exe 33 PID 2752 wrote to memory of 884 2752 Ejhhcdjm.exe 34 PID 2752 wrote to memory of 884 2752 Ejhhcdjm.exe 34 PID 2752 wrote to memory of 884 2752 Ejhhcdjm.exe 34 PID 2752 wrote to memory of 884 2752 Ejhhcdjm.exe 34 PID 884 wrote to memory of 456 884 Fdpmljan.exe 35 PID 884 wrote to memory of 456 884 Fdpmljan.exe 35 PID 884 wrote to memory of 456 884 Fdpmljan.exe 35 PID 884 wrote to memory of 456 884 Fdpmljan.exe 35 PID 456 wrote to memory of 960 456 Fimedaoe.exe 36 PID 456 wrote to memory of 960 456 Fimedaoe.exe 36 PID 456 wrote to memory of 960 456 Fimedaoe.exe 36 PID 456 wrote to memory of 960 456 Fimedaoe.exe 36 PID 960 wrote to memory of 2528 960 Ffaeneno.exe 37 PID 960 wrote to memory of 2528 960 Ffaeneno.exe 37 PID 960 wrote to memory of 2528 960 Ffaeneno.exe 37 PID 960 wrote to memory of 2528 960 Ffaeneno.exe 37 PID 2528 wrote to memory of 1736 2528 Fpijgk32.exe 38 PID 2528 wrote to memory of 1736 2528 Fpijgk32.exe 38 PID 2528 wrote to memory of 1736 2528 Fpijgk32.exe 38 PID 2528 wrote to memory of 1736 2528 Fpijgk32.exe 38 PID 1736 wrote to memory of 2984 1736 Fefboabg.exe 39 PID 1736 wrote to memory of 2984 1736 Fefboabg.exe 39 PID 1736 wrote to memory of 2984 1736 Fefboabg.exe 39 PID 1736 wrote to memory of 2984 1736 Fefboabg.exe 39 PID 2984 wrote to memory of 1972 2984 Fplgljbm.exe 40 PID 2984 wrote to memory of 1972 2984 Fplgljbm.exe 40 PID 2984 wrote to memory of 1972 2984 Fplgljbm.exe 40 PID 2984 wrote to memory of 1972 2984 Fplgljbm.exe 40 PID 1972 wrote to memory of 2324 1972 Fhgkqmph.exe 41 PID 1972 wrote to memory of 2324 1972 Fhgkqmph.exe 41 PID 1972 wrote to memory of 2324 1972 Fhgkqmph.exe 41 PID 1972 wrote to memory of 2324 1972 Fhgkqmph.exe 41 PID 2324 wrote to memory of 2244 2324 Fblpnepn.exe 42 PID 2324 wrote to memory of 2244 2324 Fblpnepn.exe 42 PID 2324 wrote to memory of 2244 2324 Fblpnepn.exe 42 PID 2324 wrote to memory of 2244 2324 Fblpnepn.exe 42 PID 2244 wrote to memory of 1404 2244 Gledgkfn.exe 43 PID 2244 wrote to memory of 1404 2244 Gledgkfn.exe 43 PID 2244 wrote to memory of 1404 2244 Gledgkfn.exe 43 PID 2244 wrote to memory of 1404 2244 Gledgkfn.exe 43 PID 1404 wrote to memory of 1228 1404 Ghlell32.exe 44 PID 1404 wrote to memory of 1228 1404 Ghlell32.exe 44 PID 1404 wrote to memory of 1228 1404 Ghlell32.exe 44 PID 1404 wrote to memory of 1228 1404 Ghlell32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\22434128\zmstage.exeC:\Users\Admin\AppData\Local\Temp\22434128\zmstage.exe1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe"C:\Users\Admin\AppData\Local\Temp\957eeb9a804c3c20e070f680efda973bb52f2125412d427417127450c7c97c14.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ebjfiboe.exeC:\Windows\system32\Ebjfiboe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ejhhcdjm.exeC:\Windows\system32\Ejhhcdjm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Fimedaoe.exeC:\Windows\system32\Fimedaoe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Fplgljbm.exeC:\Windows\system32\Fplgljbm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Fhgkqmph.exeC:\Windows\system32\Fhgkqmph.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Fblpnepn.exeC:\Windows\system32\Fblpnepn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Gepeep32.exeC:\Windows\system32\Gepeep32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Hgjdcghp.exeC:\Windows\system32\Hgjdcghp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Hhpjfoji.exeC:\Windows\system32\Hhpjfoji.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Hnmcne32.exeC:\Windows\system32\Hnmcne32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Idihponj.exeC:\Windows\system32\Idihponj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Ijhmnf32.exeC:\Windows\system32\Ijhmnf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Ifajif32.exeC:\Windows\system32\Ifajif32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe33⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Jibcja32.exeC:\Windows\system32\Jibcja32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe35⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe37⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Jepjpajn.exeC:\Windows\system32\Jepjpajn.exe38⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe39⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Kplhfo32.exeC:\Windows\system32\Kplhfo32.exe41⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Likbpceb.exeC:\Windows\system32\Likbpceb.exe45⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Lbdghi32.exeC:\Windows\system32\Lbdghi32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe48⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe50⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe55⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ngolgn32.exeC:\Windows\system32\Ngolgn32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe58⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Njpdiifd.exeC:\Windows\system32\Njpdiifd.exe59⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nchiao32.exeC:\Windows\system32\Nchiao32.exe60⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe64⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ocmbmnio.exeC:\Windows\system32\Ocmbmnio.exe65⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ofkoijhc.exeC:\Windows\system32\Ofkoijhc.exe66⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe68⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe69⤵PID:2564
-
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe70⤵PID:2936
-
C:\Windows\SysWOW64\Ogadkajl.exeC:\Windows\system32\Ogadkajl.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe74⤵PID:676
-
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe75⤵PID:1744
-
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe78⤵PID:2568
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe79⤵PID:1132
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe80⤵PID:1136
-
C:\Windows\SysWOW64\Pildih32.exeC:\Windows\system32\Pildih32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Pinqoh32.exeC:\Windows\system32\Pinqoh32.exe83⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe84⤵PID:1108
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe86⤵PID:2516
-
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe87⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe88⤵PID:2876
-
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe89⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe90⤵PID:2016
-
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe92⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe93⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe94⤵PID:2180
-
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe95⤵PID:2436
-
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe97⤵
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe98⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe99⤵PID:2944
-
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe100⤵PID:2756
-
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe102⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe104⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bhjppg32.exeC:\Windows\system32\Bhjppg32.exe105⤵PID:1124
-
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe106⤵PID:2472
-
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe108⤵PID:556
-
C:\Windows\SysWOW64\Bdcmjg32.exeC:\Windows\system32\Bdcmjg32.exe109⤵PID:3008
-
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe110⤵PID:2920
-
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe111⤵PID:584
-
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe112⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe116⤵PID:1456
-
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe117⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Cjglcmbi.exeC:\Windows\system32\Cjglcmbi.exe118⤵PID:1796
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-