Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 00:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
-
Size
95KB
-
MD5
59f43fbca4115576efef9021b64a1bd8
-
SHA1
9d408d1753322cfa6fc1012152471783e88e8aad
-
SHA256
9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9
-
SHA512
81dd08a20e61d5d932a64da3335c7d8e6c17f2bad1dee5b71ffca03acb951c84eb25dcc11c47eb8eac69b2b5303b1ecd824cf67fa6c779051e292bd496b86120
-
SSDEEP
1536:Jr0GH5G+vMP6kwYBbur5eA8qQjDodRQrZ8RVRoRch1dROrwpOudRirVtFsrTpMG8:50GZVf6burl8FweyTWM1dQrTOwZtFKnO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjepib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcmoafph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpfojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjebbkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fblcaohd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnifia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mochmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjabhjec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlbcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebgifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eljkqfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iljjabfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfldopno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkechk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lffjih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakgdgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmophe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bopbeopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egnjbfqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpepejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgdagelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hofmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiafk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfddcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honpqaff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgodchen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhoej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eidohiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oelecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opdffmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjcflkdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkegigal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbokapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nggpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdciej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgfpbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqcmkjje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcfqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqeoegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpaado32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecidbfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aobblkkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gogipbln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfanlpff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emfhbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjngjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plhdkhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plbdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdapqgom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfdjbcim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neabophn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfkkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gknjecab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe -
Executes dropped EXE 64 IoCs
pid Process 1560 Ggofcmih.exe 2100 Gmlokdgp.exe 2648 Hffpiikm.exe 2736 Haldgbkc.exe 2112 Hpcnmnnh.exe 2708 Hbdfoiki.exe 2660 Impdeg32.exe 3016 Ifhinl32.exe 1380 Iljjabfh.exe 2440 Jinkkgeb.exe 1392 Jhedachg.exe 2840 Jdoblckh.exe 1804 Kjngjj32.exe 2288 Knlpphnd.exe 1200 Kbpbokop.exe 276 Lkhfhaea.exe 2132 Lhodgebh.exe 1400 Lbghpjih.exe 856 Lmcfeh32.exe 1176 Mcokhaho.exe 2244 Minpeh32.exe 2284 Miqmkh32.exe 2272 Nnpbinoe.exe 2016 Nhhfbd32.exe 3064 Nacgpi32.exe 2772 Ndadld32.exe 2664 Ndfmgdeb.exe 2696 Oenppk32.exe 2712 Pecikj32.exe 2592 Pkpacaoj.exe 1992 Phcbmend.exe 2356 Palgek32.exe 1700 Pgionbbl.exe 2256 Pncgjl32.exe 1212 Pcppbc32.exe 2896 Plhdkhoq.exe 852 Peqidn32.exe 2984 Qpfmageg.exe 2764 Qlmnfh32.exe 2220 Adhbkj32.exe 1500 Anpgdp32.exe 2492 Anbcio32.exe 1344 Agkhbece.exe 1984 Aqcmkjje.exe 2496 Agmehd32.exe 2404 Acdemegf.exe 1104 Bickkl32.exe 2720 Bblocaik.exe 2384 Belhem32.exe 1612 Bfldopno.exe 2868 Bpdihedp.exe 2916 Cgpnlgak.exe 2604 Cnifia32.exe 2884 Ckmfbf32.exe 992 Ccikghel.exe 2600 Cnnpdaeb.exe 1772 Cjepib32.exe 2888 Cbpendha.exe 1384 Cmfikmhg.exe 1864 Diljpn32.exe 1548 Diofenki.exe 804 Dolondiq.exe 1316 Dbihccpg.exe 1648 Dlblmh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe 2468 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe 1560 Ggofcmih.exe 1560 Ggofcmih.exe 2100 Gmlokdgp.exe 2100 Gmlokdgp.exe 2648 Hffpiikm.exe 2648 Hffpiikm.exe 2736 Haldgbkc.exe 2736 Haldgbkc.exe 2112 Hpcnmnnh.exe 2112 Hpcnmnnh.exe 2708 Hbdfoiki.exe 2708 Hbdfoiki.exe 2660 Impdeg32.exe 2660 Impdeg32.exe 3016 Ifhinl32.exe 3016 Ifhinl32.exe 1380 Iljjabfh.exe 1380 Iljjabfh.exe 2440 Jinkkgeb.exe 2440 Jinkkgeb.exe 1392 Jhedachg.exe 1392 Jhedachg.exe 2840 Jdoblckh.exe 2840 Jdoblckh.exe 1804 Kjngjj32.exe 1804 Kjngjj32.exe 2288 Knlpphnd.exe 2288 Knlpphnd.exe 1200 Kbpbokop.exe 1200 Kbpbokop.exe 276 Lkhfhaea.exe 276 Lkhfhaea.exe 2132 Lhodgebh.exe 2132 Lhodgebh.exe 1400 Lbghpjih.exe 1400 Lbghpjih.exe 856 Lmcfeh32.exe 856 Lmcfeh32.exe 1176 Mcokhaho.exe 1176 Mcokhaho.exe 2244 Minpeh32.exe 2244 Minpeh32.exe 2284 Miqmkh32.exe 2284 Miqmkh32.exe 2272 Nnpbinoe.exe 2272 Nnpbinoe.exe 2016 Nhhfbd32.exe 2016 Nhhfbd32.exe 3064 Nacgpi32.exe 3064 Nacgpi32.exe 2772 Ndadld32.exe 2772 Ndadld32.exe 2664 Ndfmgdeb.exe 2664 Ndfmgdeb.exe 2696 Oenppk32.exe 2696 Oenppk32.exe 2712 Pecikj32.exe 2712 Pecikj32.exe 2592 Pkpacaoj.exe 2592 Pkpacaoj.exe 1992 Phcbmend.exe 1992 Phcbmend.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhhmjacg.dll Lmcfeh32.exe File created C:\Windows\SysWOW64\Foencfda.exe Feljja32.exe File created C:\Windows\SysWOW64\Qjjnid32.dll Kdinea32.exe File created C:\Windows\SysWOW64\Lpgjcj32.dll Bgmjla32.exe File opened for modification C:\Windows\SysWOW64\Dnkhcnfe.exe Dfdpbaeb.exe File opened for modification C:\Windows\SysWOW64\Kknfme32.exe Kogehdqp.exe File created C:\Windows\SysWOW64\Fldgjd32.exe Fblcaohd.exe File opened for modification C:\Windows\SysWOW64\Peqidn32.exe Plhdkhoq.exe File created C:\Windows\SysWOW64\Hhiohoam.dll Agkhbece.exe File created C:\Windows\SysWOW64\Fnkhcn32.dll Bickkl32.exe File created C:\Windows\SysWOW64\Fmbcimbp.dll Ghhoej32.exe File opened for modification C:\Windows\SysWOW64\Ngiikmmj.exe Nomdfjpo.exe File created C:\Windows\SysWOW64\Bopbeopi.exe Bcgdknlh.exe File created C:\Windows\SysWOW64\Eokhojnp.dll Ibobhgno.exe File created C:\Windows\SysWOW64\Cbopibgb.dll Plbdfc32.exe File opened for modification C:\Windows\SysWOW64\Pdpepejb.exe Pkhagodb.exe File opened for modification C:\Windows\SysWOW64\Ebfqbp32.exe Eebpil32.exe File opened for modification C:\Windows\SysWOW64\Bklpglom.exe Anhomg32.exe File created C:\Windows\SysWOW64\Jfecfb32.exe Jnjoap32.exe File opened for modification C:\Windows\SysWOW64\Jfecfb32.exe Jnjoap32.exe File opened for modification C:\Windows\SysWOW64\Jdoblckh.exe Jhedachg.exe File created C:\Windows\SysWOW64\Bfbknkbn.exe Aklgabbh.exe File created C:\Windows\SysWOW64\Pbaakoab.dll Bcgdknlh.exe File opened for modification C:\Windows\SysWOW64\Hbdfoiki.exe Hpcnmnnh.exe File opened for modification C:\Windows\SysWOW64\Icgibkki.exe Ifchhf32.exe File created C:\Windows\SysWOW64\Agmahlog.dll Ljjpighp.exe File created C:\Windows\SysWOW64\Ohjbbokn.dll Mjlbcd32.exe File created C:\Windows\SysWOW64\Jppedg32.exe Jgeppe32.exe File opened for modification C:\Windows\SysWOW64\Foencfda.exe Feljja32.exe File opened for modification C:\Windows\SysWOW64\Lqknfq32.exe Lffjih32.exe File created C:\Windows\SysWOW64\Icjhpc32.exe Iidccj32.exe File created C:\Windows\SysWOW64\Knhhkkbe.dll Egbcne32.exe File opened for modification C:\Windows\SysWOW64\Ajfanjqo.exe Qmijij32.exe File opened for modification C:\Windows\SysWOW64\Hecnblah.exe Gknjecab.exe File created C:\Windows\SysWOW64\Diljpn32.exe Cmfikmhg.exe File opened for modification C:\Windows\SysWOW64\Celnjj32.exe Cmpieg32.exe File opened for modification C:\Windows\SysWOW64\Fblcaohd.exe Eidohiac.exe File opened for modification C:\Windows\SysWOW64\Hffpiikm.exe Gmlokdgp.exe File created C:\Windows\SysWOW64\Ljjpighp.exe Ldngqqjh.exe File created C:\Windows\SysWOW64\Ifkgldag.exe Igfkkh32.exe File created C:\Windows\SysWOW64\Mjlbcd32.exe Mneancpi.exe File created C:\Windows\SysWOW64\Ocqkfn32.dll Ebgifo32.exe File created C:\Windows\SysWOW64\Eaoadb32.exe Epmdljal.exe File created C:\Windows\SysWOW64\Lfnghjmh.dll Eaoadb32.exe File opened for modification C:\Windows\SysWOW64\Kikcjdfd.exe Jpboan32.exe File created C:\Windows\SysWOW64\Jendlk32.dll Dmbbjjhj.exe File opened for modification C:\Windows\SysWOW64\Hnkmnpef.exe Gdciej32.exe File created C:\Windows\SysWOW64\Odokqimi.dll Eebpil32.exe File created C:\Windows\SysWOW64\Odbhgfci.dll Hcmoafph.exe File created C:\Windows\SysWOW64\Ncafemqk.exe Nbqjne32.exe File created C:\Windows\SysWOW64\Cjepib32.exe Cnnpdaeb.exe File opened for modification C:\Windows\SysWOW64\Fjchnclk.exe Fdfpfm32.exe File created C:\Windows\SysWOW64\Pjeeqc32.dll Gogggi32.exe File opened for modification C:\Windows\SysWOW64\Jkegigal.exe Jambpb32.exe File created C:\Windows\SysWOW64\Lceagmmn.exe Lgnqbl32.exe File created C:\Windows\SysWOW64\Fdapqgom.exe Fikkcnog.exe File created C:\Windows\SysWOW64\Eioicpja.dll Kogehdqp.exe File created C:\Windows\SysWOW64\Gholdkmk.dll Bjhjcm32.exe File created C:\Windows\SysWOW64\Cfhapbkg.dll Eofkgb32.exe File opened for modification C:\Windows\SysWOW64\Hgdagelg.exe Hnkmnpef.exe File opened for modification C:\Windows\SysWOW64\Pgionbbl.exe Palgek32.exe File created C:\Windows\SysWOW64\Bjhjcm32.exe Bjfmmnck.exe File opened for modification C:\Windows\SysWOW64\Dalaeicf.exe Dpldkf32.exe File created C:\Windows\SysWOW64\Bldbococ.exe Bopbeopi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5024 5000 WerFault.exe 362 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejqenmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gobnljhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apcfqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabnokkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopbeopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diljpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffjih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlofejig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfocmhcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehcikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbffkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdhlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnleahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnclbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkegigal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmpcmpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneancpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqplhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgionbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblocaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblfcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnheniaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfmmnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehanfgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgfpbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljjabfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbghpjih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkechk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcflkdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfecfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjngjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcokhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpbinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoidf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnnlpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfmageg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnqhcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokkag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgodchen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkcdgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgedlbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abghlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjjll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecnblah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcbmend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobhgno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpldkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiiono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkhcnfe.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfgom32.dll" Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfail32.dll" Emfhbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pncgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnnjco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cknikooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niejdndh.dll" Gdqlpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhapbkg.dll" Eofkgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgfnlejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpaado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpcnnah.dll" Gogipbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcpho32.dll" Pkpacaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopbcgno.dll" Depgeiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feljja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcokhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfmkhmk.dll" Edbjljpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bopbeopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidepa32.dll" Dioinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iglmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bblocaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodjei32.dll" Cfagmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjcflkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfanlpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmapiahb.dll" Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlob32.dll" Ilggal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plbdfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpldkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpjoi32.dll" Hnclbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnfmdnb.dll" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdibfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olchgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfbknkbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdodel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgqnccp.dll" Fblcaohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmghoe32.dll" Nacgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmbninke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkdhlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gknjecab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncjgao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djeoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jedeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcajp32.dll" Hgfnlejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gogipbln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmfikmhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Godjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifchhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnqhcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmophe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Holcka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iglmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qliepk32.dll" Egnjbfqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccgnc32.dll" Djeoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocqkfn32.dll" Ebgifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkdloal.dll" Inciaamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eebpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdciej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpjoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhakfh32.dll" Qbboakna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Femlbjee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1560 2468 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe 29 PID 2468 wrote to memory of 1560 2468 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe 29 PID 2468 wrote to memory of 1560 2468 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe 29 PID 2468 wrote to memory of 1560 2468 9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe 29 PID 1560 wrote to memory of 2100 1560 Ggofcmih.exe 30 PID 1560 wrote to memory of 2100 1560 Ggofcmih.exe 30 PID 1560 wrote to memory of 2100 1560 Ggofcmih.exe 30 PID 1560 wrote to memory of 2100 1560 Ggofcmih.exe 30 PID 2100 wrote to memory of 2648 2100 Gmlokdgp.exe 31 PID 2100 wrote to memory of 2648 2100 Gmlokdgp.exe 31 PID 2100 wrote to memory of 2648 2100 Gmlokdgp.exe 31 PID 2100 wrote to memory of 2648 2100 Gmlokdgp.exe 31 PID 2648 wrote to memory of 2736 2648 Hffpiikm.exe 32 PID 2648 wrote to memory of 2736 2648 Hffpiikm.exe 32 PID 2648 wrote to memory of 2736 2648 Hffpiikm.exe 32 PID 2648 wrote to memory of 2736 2648 Hffpiikm.exe 32 PID 2736 wrote to memory of 2112 2736 Haldgbkc.exe 33 PID 2736 wrote to memory of 2112 2736 Haldgbkc.exe 33 PID 2736 wrote to memory of 2112 2736 Haldgbkc.exe 33 PID 2736 wrote to memory of 2112 2736 Haldgbkc.exe 33 PID 2112 wrote to memory of 2708 2112 Hpcnmnnh.exe 34 PID 2112 wrote to memory of 2708 2112 Hpcnmnnh.exe 34 PID 2112 wrote to memory of 2708 2112 Hpcnmnnh.exe 34 PID 2112 wrote to memory of 2708 2112 Hpcnmnnh.exe 34 PID 2708 wrote to memory of 2660 2708 Hbdfoiki.exe 35 PID 2708 wrote to memory of 2660 2708 Hbdfoiki.exe 35 PID 2708 wrote to memory of 2660 2708 Hbdfoiki.exe 35 PID 2708 wrote to memory of 2660 2708 Hbdfoiki.exe 35 PID 2660 wrote to memory of 3016 2660 Impdeg32.exe 36 PID 2660 wrote to memory of 3016 2660 Impdeg32.exe 36 PID 2660 wrote to memory of 3016 2660 Impdeg32.exe 36 PID 2660 wrote to memory of 3016 2660 Impdeg32.exe 36 PID 3016 wrote to memory of 1380 3016 Ifhinl32.exe 37 PID 3016 wrote to memory of 1380 3016 Ifhinl32.exe 37 PID 3016 wrote to memory of 1380 3016 Ifhinl32.exe 37 PID 3016 wrote to memory of 1380 3016 Ifhinl32.exe 37 PID 1380 wrote to memory of 2440 1380 Iljjabfh.exe 38 PID 1380 wrote to memory of 2440 1380 Iljjabfh.exe 38 PID 1380 wrote to memory of 2440 1380 Iljjabfh.exe 38 PID 1380 wrote to memory of 2440 1380 Iljjabfh.exe 38 PID 2440 wrote to memory of 1392 2440 Jinkkgeb.exe 39 PID 2440 wrote to memory of 1392 2440 Jinkkgeb.exe 39 PID 2440 wrote to memory of 1392 2440 Jinkkgeb.exe 39 PID 2440 wrote to memory of 1392 2440 Jinkkgeb.exe 39 PID 1392 wrote to memory of 2840 1392 Jhedachg.exe 40 PID 1392 wrote to memory of 2840 1392 Jhedachg.exe 40 PID 1392 wrote to memory of 2840 1392 Jhedachg.exe 40 PID 1392 wrote to memory of 2840 1392 Jhedachg.exe 40 PID 2840 wrote to memory of 1804 2840 Jdoblckh.exe 41 PID 2840 wrote to memory of 1804 2840 Jdoblckh.exe 41 PID 2840 wrote to memory of 1804 2840 Jdoblckh.exe 41 PID 2840 wrote to memory of 1804 2840 Jdoblckh.exe 41 PID 1804 wrote to memory of 2288 1804 Kjngjj32.exe 42 PID 1804 wrote to memory of 2288 1804 Kjngjj32.exe 42 PID 1804 wrote to memory of 2288 1804 Kjngjj32.exe 42 PID 1804 wrote to memory of 2288 1804 Kjngjj32.exe 42 PID 2288 wrote to memory of 1200 2288 Knlpphnd.exe 43 PID 2288 wrote to memory of 1200 2288 Knlpphnd.exe 43 PID 2288 wrote to memory of 1200 2288 Knlpphnd.exe 43 PID 2288 wrote to memory of 1200 2288 Knlpphnd.exe 43 PID 1200 wrote to memory of 276 1200 Kbpbokop.exe 44 PID 1200 wrote to memory of 276 1200 Kbpbokop.exe 44 PID 1200 wrote to memory of 276 1200 Kbpbokop.exe 44 PID 1200 wrote to memory of 276 1200 Kbpbokop.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe"C:\Users\Admin\AppData\Local\Temp\9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ggofcmih.exeC:\Windows\system32\Ggofcmih.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Gmlokdgp.exeC:\Windows\system32\Gmlokdgp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Hffpiikm.exeC:\Windows\system32\Hffpiikm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Haldgbkc.exeC:\Windows\system32\Haldgbkc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Hpcnmnnh.exeC:\Windows\system32\Hpcnmnnh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Hbdfoiki.exeC:\Windows\system32\Hbdfoiki.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Impdeg32.exeC:\Windows\system32\Impdeg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ifhinl32.exeC:\Windows\system32\Ifhinl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Iljjabfh.exeC:\Windows\system32\Iljjabfh.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Jinkkgeb.exeC:\Windows\system32\Jinkkgeb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Jhedachg.exeC:\Windows\system32\Jhedachg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Jdoblckh.exeC:\Windows\system32\Jdoblckh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kjngjj32.exeC:\Windows\system32\Kjngjj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Knlpphnd.exeC:\Windows\system32\Knlpphnd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Kbpbokop.exeC:\Windows\system32\Kbpbokop.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Lkhfhaea.exeC:\Windows\system32\Lkhfhaea.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Lhodgebh.exeC:\Windows\system32\Lhodgebh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Lbghpjih.exeC:\Windows\system32\Lbghpjih.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Lmcfeh32.exeC:\Windows\system32\Lmcfeh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Mcokhaho.exeC:\Windows\system32\Mcokhaho.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Minpeh32.exeC:\Windows\system32\Minpeh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Miqmkh32.exeC:\Windows\system32\Miqmkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Nnpbinoe.exeC:\Windows\system32\Nnpbinoe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Nhhfbd32.exeC:\Windows\system32\Nhhfbd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Nacgpi32.exeC:\Windows\system32\Nacgpi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ndadld32.exeC:\Windows\system32\Ndadld32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ndfmgdeb.exeC:\Windows\system32\Ndfmgdeb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Oenppk32.exeC:\Windows\system32\Oenppk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Pecikj32.exeC:\Windows\system32\Pecikj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Pkpacaoj.exeC:\Windows\system32\Pkpacaoj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Phcbmend.exeC:\Windows\system32\Phcbmend.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Palgek32.exeC:\Windows\system32\Palgek32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Pgionbbl.exeC:\Windows\system32\Pgionbbl.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Pncgjl32.exeC:\Windows\system32\Pncgjl32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Pcppbc32.exeC:\Windows\system32\Pcppbc32.exe36⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Plhdkhoq.exeC:\Windows\system32\Plhdkhoq.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Peqidn32.exeC:\Windows\system32\Peqidn32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Qpfmageg.exeC:\Windows\system32\Qpfmageg.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe40⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Anpgdp32.exeC:\Windows\system32\Anpgdp32.exe42⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Anbcio32.exeC:\Windows\system32\Anbcio32.exe43⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe46⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe47⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Bickkl32.exeC:\Windows\system32\Bickkl32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Bblocaik.exeC:\Windows\system32\Bblocaik.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Belhem32.exeC:\Windows\system32\Belhem32.exe50⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Bfldopno.exeC:\Windows\system32\Bfldopno.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Bpdihedp.exeC:\Windows\system32\Bpdihedp.exe52⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe53⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Cnifia32.exeC:\Windows\system32\Cnifia32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ckmfbf32.exeC:\Windows\system32\Ckmfbf32.exe55⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ccikghel.exeC:\Windows\system32\Ccikghel.exe56⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Cnnpdaeb.exeC:\Windows\system32\Cnnpdaeb.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Cjepib32.exeC:\Windows\system32\Cjepib32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Cbpendha.exeC:\Windows\system32\Cbpendha.exe59⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Cmfikmhg.exeC:\Windows\system32\Cmfikmhg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Diofenki.exeC:\Windows\system32\Diofenki.exe62⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Dolondiq.exeC:\Windows\system32\Dolondiq.exe63⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Dbihccpg.exeC:\Windows\system32\Dbihccpg.exe64⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Dlblmh32.exeC:\Windows\system32\Dlblmh32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Dejqenmh.exeC:\Windows\system32\Dejqenmh.exe66⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Ekgineko.exeC:\Windows\system32\Ekgineko.exe67⤵PID:880
-
C:\Windows\SysWOW64\Egnjbfqc.exeC:\Windows\system32\Egnjbfqc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Edbjljpm.exeC:\Windows\system32\Edbjljpm.exe69⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Egbcne32.exeC:\Windows\system32\Egbcne32.exe70⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Elolfl32.exeC:\Windows\system32\Elolfl32.exe71⤵PID:2096
-
C:\Windows\SysWOW64\Ecidbfbb.exeC:\Windows\system32\Ecidbfbb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Epmdljal.exeC:\Windows\system32\Epmdljal.exe73⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Eaoadb32.exeC:\Windows\system32\Eaoadb32.exe74⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Fobamgfd.exeC:\Windows\system32\Fobamgfd.exe75⤵PID:696
-
C:\Windows\SysWOW64\Feljja32.exeC:\Windows\system32\Feljja32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Foencfda.exeC:\Windows\system32\Foencfda.exe77⤵PID:2340
-
C:\Windows\SysWOW64\Fddcqm32.exeC:\Windows\system32\Fddcqm32.exe78⤵PID:1796
-
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Fjchnclk.exeC:\Windows\system32\Fjchnclk.exe80⤵PID:2628
-
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe81⤵PID:1968
-
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe82⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Gflfidpl.exeC:\Windows\system32\Gflfidpl.exe83⤵PID:2128
-
C:\Windows\SysWOW64\Godjaj32.exeC:\Windows\system32\Godjaj32.exe84⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Gogggi32.exeC:\Windows\system32\Gogggi32.exe85⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Hekfpo32.exeC:\Windows\system32\Hekfpo32.exe86⤵
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Hiohob32.exeC:\Windows\system32\Hiohob32.exe88⤵PID:2472
-
C:\Windows\SysWOW64\Ifchhf32.exeC:\Windows\system32\Ifchhf32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Icgibkki.exeC:\Windows\system32\Icgibkki.exe90⤵PID:2732
-
C:\Windows\SysWOW64\Iidajaiq.exeC:\Windows\system32\Iidajaiq.exe91⤵PID:2644
-
C:\Windows\SysWOW64\Iblfcg32.exeC:\Windows\system32\Iblfcg32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Ihinkn32.exeC:\Windows\system32\Ihinkn32.exe93⤵PID:2936
-
C:\Windows\SysWOW64\Ibobhgno.exeC:\Windows\system32\Ibobhgno.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Ilggal32.exeC:\Windows\system32\Ilggal32.exe95⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Ieokjbkp.exeC:\Windows\system32\Ieokjbkp.exe96⤵PID:2852
-
C:\Windows\SysWOW64\Jbclcf32.exeC:\Windows\system32\Jbclcf32.exe97⤵PID:944
-
C:\Windows\SysWOW64\Jllpmlqj.exeC:\Windows\system32\Jllpmlqj.exe98⤵PID:2164
-
C:\Windows\SysWOW64\Jedeea32.exeC:\Windows\system32\Jedeea32.exe99⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Jdibfn32.exeC:\Windows\system32\Jdibfn32.exe100⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Jambpb32.exeC:\Windows\system32\Jambpb32.exe101⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Jkegigal.exeC:\Windows\system32\Jkegigal.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Jpboan32.exeC:\Windows\system32\Jpboan32.exe103⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Kikcjdfd.exeC:\Windows\system32\Kikcjdfd.exe104⤵PID:236
-
C:\Windows\SysWOW64\Kgodchen.exeC:\Windows\system32\Kgodchen.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe106⤵PID:2744
-
C:\Windows\SysWOW64\Kedaddif.exeC:\Windows\system32\Kedaddif.exe107⤵PID:2776
-
C:\Windows\SysWOW64\Kdinea32.exeC:\Windows\system32\Kdinea32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Kehjpd32.exeC:\Windows\system32\Kehjpd32.exe109⤵PID:2528
-
C:\Windows\SysWOW64\Kkechk32.exeC:\Windows\system32\Kkechk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ldngqqjh.exeC:\Windows\system32\Ldngqqjh.exe111⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Ljjpighp.exeC:\Windows\system32\Ljjpighp.exe112⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Lgnqbl32.exeC:\Windows\system32\Lgnqbl32.exe113⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Lceagmmn.exeC:\Windows\system32\Lceagmmn.exe114⤵PID:2716
-
C:\Windows\SysWOW64\Ljoidf32.exeC:\Windows\system32\Ljoidf32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Lffjih32.exeC:\Windows\system32\Lffjih32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Lqknfq32.exeC:\Windows\system32\Lqknfq32.exe117⤵PID:2728
-
C:\Windows\SysWOW64\Lfhgng32.exeC:\Windows\system32\Lfhgng32.exe118⤵PID:3044
-
C:\Windows\SysWOW64\Mlbokapi.exeC:\Windows\system32\Mlbokapi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Mfkcdgfi.exeC:\Windows\system32\Mfkcdgfi.exe120⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Mochmm32.exeC:\Windows\system32\Mochmm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-