Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe
-
Size
443KB
-
MD5
da2201a0316af37a17401cb68f2845a0
-
SHA1
ef30a842838b4ce74d9296da82864d11de7e7ef6
-
SHA256
d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398
-
SHA512
bd5e487af3f9a7026efbc603794c3ae557fdad1ba5d0d53cc01f4c29b7c63a7200be5a393ac374ad3a409894df04131ce9e073ee8c71d6002a67e6df31415bc9
-
SSDEEP
6144:G/iU9dXjEZGuM7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszJ:Oz9dXjEIB1J1HJ1Uj+HiPj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gconbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcgjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmmpcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnbhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gecpnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paocnkph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbfnjeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbadjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfooh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodicd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmccqbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfmcc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Eiekpd32.exe 1980 Eldglp32.exe 2172 Epbpbnan.exe 2720 Ecploipa.exe 2868 Eaeipfei.exe 2776 Eecafd32.exe 2780 Fdiogq32.exe 2688 Fdkklp32.exe 1268 Fkecij32.exe 2136 Fjjpjgjj.exe 1668 Fcbecl32.exe 2032 Fjlmpfhg.exe 2976 Goiehm32.exe 1964 Gblkoham.exe 1460 Gdkgkcpq.exe 2216 Ggicgopd.exe 1028 Gkephn32.exe 824 Goplilpf.exe 1316 Gdmdacnn.exe 1640 Giipab32.exe 2480 Gkglnm32.exe 492 Gneijien.exe 2008 Gbadjg32.exe 1644 Gepafc32.exe 2496 Ggnmbn32.exe 1620 Hjlioj32.exe 3008 Hnheohcl.exe 2504 Hqfaldbo.exe 2400 Hcdnhoac.exe 2556 Hgpjhn32.exe 2440 Hmmbqegc.exe 2700 Hcgjmo32.exe 1716 Idgglb32.exe 1624 Iakgefqe.exe 1512 Ihdpbq32.exe 1720 Ifgpnmom.exe 2432 Ifjlcmmj.exe 2920 Iihiphln.exe 2904 Jikeeh32.exe 2272 Jlkngc32.exe 1972 Jpgjgboe.exe 3000 Jbefcm32.exe 3052 Jioopgef.exe 1748 Jondnnbk.exe 904 Jehlkhig.exe 2268 Koaqcn32.exe 1776 Kncaojfb.exe 572 Kekiphge.exe 1692 Kdnild32.exe 676 Kglehp32.exe 2308 Knfndjdp.exe 2760 Kdpfadlm.exe 2840 Kgnbnpkp.exe 2864 Kjmnjkjd.exe 2732 Kadfkhkf.exe 2832 Kdbbgdjj.exe 2684 Kgqocoin.exe 2364 Klngkfge.exe 2352 Kcgphp32.exe 2512 Kjahej32.exe 2916 Kpkpadnl.exe 1796 Lcjlnpmo.exe 2196 Lfhhjklc.exe 444 Lhfefgkg.exe -
Loads dropped DLL 64 IoCs
pid Process 2076 d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe 2076 d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe 2088 Eiekpd32.exe 2088 Eiekpd32.exe 1980 Eldglp32.exe 1980 Eldglp32.exe 2172 Epbpbnan.exe 2172 Epbpbnan.exe 2720 Ecploipa.exe 2720 Ecploipa.exe 2868 Eaeipfei.exe 2868 Eaeipfei.exe 2776 Eecafd32.exe 2776 Eecafd32.exe 2780 Fdiogq32.exe 2780 Fdiogq32.exe 2688 Fdkklp32.exe 2688 Fdkklp32.exe 1268 Fkecij32.exe 1268 Fkecij32.exe 2136 Fjjpjgjj.exe 2136 Fjjpjgjj.exe 1668 Fcbecl32.exe 1668 Fcbecl32.exe 2032 Fjlmpfhg.exe 2032 Fjlmpfhg.exe 2976 Goiehm32.exe 2976 Goiehm32.exe 1964 Gblkoham.exe 1964 Gblkoham.exe 1460 Gdkgkcpq.exe 1460 Gdkgkcpq.exe 2216 Ggicgopd.exe 2216 Ggicgopd.exe 1028 Gkephn32.exe 1028 Gkephn32.exe 824 Goplilpf.exe 824 Goplilpf.exe 1316 Gdmdacnn.exe 1316 Gdmdacnn.exe 1640 Giipab32.exe 1640 Giipab32.exe 2480 Gkglnm32.exe 2480 Gkglnm32.exe 492 Gneijien.exe 492 Gneijien.exe 2008 Gbadjg32.exe 2008 Gbadjg32.exe 1644 Gepafc32.exe 1644 Gepafc32.exe 2496 Ggnmbn32.exe 2496 Ggnmbn32.exe 1620 Hjlioj32.exe 1620 Hjlioj32.exe 3008 Hnheohcl.exe 3008 Hnheohcl.exe 2504 Hqfaldbo.exe 2504 Hqfaldbo.exe 2400 Hcdnhoac.exe 2400 Hcdnhoac.exe 2556 Hgpjhn32.exe 2556 Hgpjhn32.exe 2440 Hmmbqegc.exe 2440 Hmmbqegc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbjpil32.exe Bnochnpm.exe File created C:\Windows\SysWOW64\Ldcinhie.dll Obhdcanc.exe File created C:\Windows\SysWOW64\Olebgfao.exe Oekjjl32.exe File created C:\Windows\SysWOW64\Hkolakkb.exe Hmlkfo32.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Klecfkff.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Iihiphln.exe File created C:\Windows\SysWOW64\Cfibop32.dll Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hmmdin32.exe File created C:\Windows\SysWOW64\Odlhoigp.dll Oplelf32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Adifpk32.exe File created C:\Windows\SysWOW64\Jhhcghdk.dll Dgnjqe32.exe File opened for modification C:\Windows\SysWOW64\Gdnfjl32.exe Gncnmane.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gepafc32.exe File created C:\Windows\SysWOW64\Imbjcpnn.exe Ikqnlh32.exe File opened for modification C:\Windows\SysWOW64\Jpmmfp32.exe Jajmjcoe.exe File opened for modification C:\Windows\SysWOW64\Bbjpil32.exe Bnochnpm.exe File opened for modification C:\Windows\SysWOW64\Eifmimch.exe Efhqmadd.exe File created C:\Windows\SysWOW64\Hmbndmkb.exe Hjcaha32.exe File created C:\Windows\SysWOW64\Fhljkm32.exe Fdqnkoep.exe File created C:\Windows\SysWOW64\Ngdjaofc.exe Ndfnecgp.exe File created C:\Windows\SysWOW64\Djgfah32.dll Dcghkf32.exe File created C:\Windows\SysWOW64\Gnfkba32.exe Gkgoff32.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Mjhjdm32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Cceell32.dll Qgmpibam.exe File created C:\Windows\SysWOW64\Igebkiof.exe Iakino32.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pohhna32.exe File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe Bgcbhd32.exe File created C:\Windows\SysWOW64\Apkgpf32.exe Anljck32.exe File opened for modification C:\Windows\SysWOW64\Dahkok32.exe Dnjoco32.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hiioin32.exe File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Cmapaflf.dll Koipglep.exe File created C:\Windows\SysWOW64\Qpjqdl32.dll Kaglcgdc.exe File created C:\Windows\SysWOW64\Gnmbpf32.dll Bdfooh32.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bnfddp32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Feddombd.exe File created C:\Windows\SysWOW64\Locjhqpa.exe Lldmleam.exe File created C:\Windows\SysWOW64\Lpabpcdf.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Ojmklbll.dll Efjmbaba.exe File created C:\Windows\SysWOW64\Ffdmihcc.dll Ibcphc32.exe File created C:\Windows\SysWOW64\Bbhccm32.exe Boifga32.exe File opened for modification C:\Windows\SysWOW64\Hklhae32.exe Hgqlafap.exe File created C:\Windows\SysWOW64\Hdaehcom.dll Aaimopli.exe File created C:\Windows\SysWOW64\Kojgdjqe.dll Eodicd32.exe File opened for modification C:\Windows\SysWOW64\Lkicbk32.exe Lgngbmjp.exe File created C:\Windows\SysWOW64\Glgcpc32.dll Baefnmml.exe File created C:\Windows\SysWOW64\Gconbj32.exe Gqaafn32.exe File opened for modification C:\Windows\SysWOW64\Jkbaci32.exe Jpmmfp32.exe File created C:\Windows\SysWOW64\Fieacp32.dll Ofqmcj32.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Kaaded32.dll Pkaehb32.exe File created C:\Windows\SysWOW64\Ahpifj32.exe Aebmjo32.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Cgidfcdk.exe Bqolji32.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Ecploipa.exe File created C:\Windows\SysWOW64\Kofcbl32.exe Kpdcfoph.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Onqkclni.exe Olbogqoe.exe File created C:\Windows\SysWOW64\Dnhgdb32.dll Lhfnkqgk.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmckcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkicbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkndhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegpjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfnkqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabaocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhjdiap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeclebja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnhhjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elacliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingkdeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijkje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koipglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodicd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdffoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckdgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbqkiind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accqnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaejojjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcekfad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkiqi32.dll" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eanldqgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iieepbje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjedgmpi.dll" Pfebnmcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll" Jplfkjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Olbfagca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajngeelc.dll" Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnmienj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjpggkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobnlgbf.dll" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbclcja.dll" Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcjnl32.dll" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgmpo32.dll" Bbllnlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhcghdk.dll" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmkhjncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cinafkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifaid32.dll" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnheohcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiooq32.dll" Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnmacpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhmhk32.dll" Jlfnangf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onipnblf.dll" Mnglnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2088 2076 d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe 30 PID 2076 wrote to memory of 2088 2076 d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe 30 PID 2076 wrote to memory of 2088 2076 d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe 30 PID 2076 wrote to memory of 2088 2076 d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe 30 PID 2088 wrote to memory of 1980 2088 Eiekpd32.exe 31 PID 2088 wrote to memory of 1980 2088 Eiekpd32.exe 31 PID 2088 wrote to memory of 1980 2088 Eiekpd32.exe 31 PID 2088 wrote to memory of 1980 2088 Eiekpd32.exe 31 PID 1980 wrote to memory of 2172 1980 Eldglp32.exe 32 PID 1980 wrote to memory of 2172 1980 Eldglp32.exe 32 PID 1980 wrote to memory of 2172 1980 Eldglp32.exe 32 PID 1980 wrote to memory of 2172 1980 Eldglp32.exe 32 PID 2172 wrote to memory of 2720 2172 Epbpbnan.exe 33 PID 2172 wrote to memory of 2720 2172 Epbpbnan.exe 33 PID 2172 wrote to memory of 2720 2172 Epbpbnan.exe 33 PID 2172 wrote to memory of 2720 2172 Epbpbnan.exe 33 PID 2720 wrote to memory of 2868 2720 Ecploipa.exe 34 PID 2720 wrote to memory of 2868 2720 Ecploipa.exe 34 PID 2720 wrote to memory of 2868 2720 Ecploipa.exe 34 PID 2720 wrote to memory of 2868 2720 Ecploipa.exe 34 PID 2868 wrote to memory of 2776 2868 Eaeipfei.exe 35 PID 2868 wrote to memory of 2776 2868 Eaeipfei.exe 35 PID 2868 wrote to memory of 2776 2868 Eaeipfei.exe 35 PID 2868 wrote to memory of 2776 2868 Eaeipfei.exe 35 PID 2776 wrote to memory of 2780 2776 Eecafd32.exe 36 PID 2776 wrote to memory of 2780 2776 Eecafd32.exe 36 PID 2776 wrote to memory of 2780 2776 Eecafd32.exe 36 PID 2776 wrote to memory of 2780 2776 Eecafd32.exe 36 PID 2780 wrote to memory of 2688 2780 Fdiogq32.exe 37 PID 2780 wrote to memory of 2688 2780 Fdiogq32.exe 37 PID 2780 wrote to memory of 2688 2780 Fdiogq32.exe 37 PID 2780 wrote to memory of 2688 2780 Fdiogq32.exe 37 PID 2688 wrote to memory of 1268 2688 Fdkklp32.exe 38 PID 2688 wrote to memory of 1268 2688 Fdkklp32.exe 38 PID 2688 wrote to memory of 1268 2688 Fdkklp32.exe 38 PID 2688 wrote to memory of 1268 2688 Fdkklp32.exe 38 PID 1268 wrote to memory of 2136 1268 Fkecij32.exe 39 PID 1268 wrote to memory of 2136 1268 Fkecij32.exe 39 PID 1268 wrote to memory of 2136 1268 Fkecij32.exe 39 PID 1268 wrote to memory of 2136 1268 Fkecij32.exe 39 PID 2136 wrote to memory of 1668 2136 Fjjpjgjj.exe 40 PID 2136 wrote to memory of 1668 2136 Fjjpjgjj.exe 40 PID 2136 wrote to memory of 1668 2136 Fjjpjgjj.exe 40 PID 2136 wrote to memory of 1668 2136 Fjjpjgjj.exe 40 PID 1668 wrote to memory of 2032 1668 Fcbecl32.exe 41 PID 1668 wrote to memory of 2032 1668 Fcbecl32.exe 41 PID 1668 wrote to memory of 2032 1668 Fcbecl32.exe 41 PID 1668 wrote to memory of 2032 1668 Fcbecl32.exe 41 PID 2032 wrote to memory of 2976 2032 Fjlmpfhg.exe 42 PID 2032 wrote to memory of 2976 2032 Fjlmpfhg.exe 42 PID 2032 wrote to memory of 2976 2032 Fjlmpfhg.exe 42 PID 2032 wrote to memory of 2976 2032 Fjlmpfhg.exe 42 PID 2976 wrote to memory of 1964 2976 Goiehm32.exe 43 PID 2976 wrote to memory of 1964 2976 Goiehm32.exe 43 PID 2976 wrote to memory of 1964 2976 Goiehm32.exe 43 PID 2976 wrote to memory of 1964 2976 Goiehm32.exe 43 PID 1964 wrote to memory of 1460 1964 Gblkoham.exe 44 PID 1964 wrote to memory of 1460 1964 Gblkoham.exe 44 PID 1964 wrote to memory of 1460 1964 Gblkoham.exe 44 PID 1964 wrote to memory of 1460 1964 Gblkoham.exe 44 PID 1460 wrote to memory of 2216 1460 Gdkgkcpq.exe 45 PID 1460 wrote to memory of 2216 1460 Gdkgkcpq.exe 45 PID 1460 wrote to memory of 2216 1460 Gdkgkcpq.exe 45 PID 1460 wrote to memory of 2216 1460 Gdkgkcpq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe"C:\Users\Admin\AppData\Local\Temp\d04d1c2059a69ac6c3c06e3e31ad5a9b1fe28b34686dcc39f1d3202885f96398N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe34⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe35⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe36⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe37⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe38⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe40⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe41⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe42⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe43⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe44⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe45⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe46⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe47⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe48⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe49⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe50⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe51⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe53⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe55⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe58⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe59⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe60⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe61⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe65⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe66⤵PID:660
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe67⤵PID:264
-
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe68⤵PID:1700
-
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe69⤵PID:2248
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe70⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe71⤵PID:1480
-
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe72⤵PID:2340
-
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe73⤵PID:2768
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe74⤵PID:2872
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe75⤵PID:2648
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe76⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe77⤵PID:2888
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe78⤵PID:1800
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe79⤵PID:2992
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe80⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe82⤵PID:3048
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe83⤵PID:832
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe86⤵PID:1852
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe87⤵PID:2520
-
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe89⤵PID:1932
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe90⤵PID:2560
-
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe91⤵PID:2692
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe92⤵PID:2848
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe93⤵PID:2500
-
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe94⤵PID:2668
-
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe95⤵PID:1400
-
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe96⤵PID:896
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe97⤵PID:1792
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe99⤵PID:2708
-
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe100⤵PID:1600
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe101⤵PID:2960
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe102⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe103⤵PID:2124
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe104⤵PID:2592
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe105⤵PID:2596
-
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe107⤵PID:1428
-
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe108⤵PID:876
-
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe109⤵PID:2796
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe110⤵PID:2928
-
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe111⤵PID:2820
-
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe112⤵PID:2144
-
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe113⤵PID:1988
-
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe114⤵PID:1836
-
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe115⤵PID:2896
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe116⤵PID:396
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe117⤵PID:1520
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe118⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe119⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe120⤵PID:988
-
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-