Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 02:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe
-
Size
87KB
-
MD5
ddec97e51565c2a6ac4eecde04e05310
-
SHA1
53eef082be0b23b6950a4d38d0a627b07068639f
-
SHA256
ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56
-
SHA512
048e5f6293d7e6f1d4948ef12d6fdfc71620035e242829775cc183e5f23679512eef4b7f5c57a508c4928aa6c29f746336df5185ae3526ddbff75eeee3ad7fe4
-
SSDEEP
1536:70/Rirl0PUzlH97Prs4SmC44NcU4GJAWX5Ig2RQ4KRSRBDNrR0RVe7R6R8RPD2zx:yRirlIQd9vsStUdJ6g2e/AnDlmbGcGFk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nihgndip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdkop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klinmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmlmmdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eakkkdnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjbelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjiiemaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfljpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knckbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igomfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejcjfgbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlgdaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioonfaed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidmniqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiablido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpjimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lldkem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjcqpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiepmajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okciddnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpodbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbedmedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchkjhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpecdio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqiqam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abcppcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqenfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmmhmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjlpclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nppemgjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbgmah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gphokhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihgndip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijklmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfmhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmhfjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjqinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bajqcqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfifqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjjaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olhmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbnjphpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdfhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmffbek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhknigfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccadhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnadfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdpjaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcmmhmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgqbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpkgggnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpckee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeaaboe.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Adadedjq.exe 2248 Ajkmbo32.exe 2732 Adcakdhn.exe 2264 Abhnlqlf.exe 2752 Bplofekp.exe 2628 Biecoj32.exe 1656 Bbmggp32.exe 2196 Bpahad32.exe 2888 Blhifemo.exe 2344 Boiagp32.exe 1620 Chccfe32.exe 2984 Ccmcfc32.exe 2060 Cdlppf32.exe 2820 Cgmiba32.exe 2224 Dbgjbo32.exe 964 Dokjlcjh.exe 1332 Domgache.exe 2204 Dheljhof.exe 1996 Dhhhphmc.exe 2300 Dbpmin32.exe 360 Egmeadbk.exe 836 Edafjiqe.exe 1160 Ejnnbpol.exe 1696 Ecfcle32.exe 2976 Eickdlcd.exe 2368 Echpaecj.exe 2712 Emadjj32.exe 2652 Fijadk32.exe 2692 Feqbilcq.exe 1064 Fjpggb32.exe 2276 Fdhlphff.exe 1400 Fmqpinlf.exe 2440 Fdkheh32.exe 2944 Gmcmomjc.exe 1756 Gjgmhaim.exe 2532 Glhjpjok.exe 2436 Gfnnmboa.exe 2392 Gmhfjm32.exe 2968 Gfpkbbmo.exe 1476 Gphokhco.exe 1328 Gajlcp32.exe 2192 Gkbplepn.exe 2100 Hegdinpd.exe 236 Hlamfh32.exe 1500 Hanenoeh.exe 636 Hgknffcp.exe 2824 Hobfgcdb.exe 1844 Hdonpjbi.exe 2716 Hngbhp32.exe 2804 Hpfoekhm.exe 3068 Hgpgae32.exe 2600 Hphljkfk.exe 2140 Jcknqicd.exe 1672 Jjgbbc32.exe 2616 Jkklpk32.exe 2640 Kbedmedg.exe 1532 Kmjhjndm.exe 2932 Kbgqbdbd.exe 1100 Kiaiooja.exe 3040 Kpkali32.exe 1908 Kehidp32.exe 3036 Kgffpk32.exe 1784 Kbljmd32.exe 2024 Kgibeklf.exe -
Loads dropped DLL 64 IoCs
pid Process 904 ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe 904 ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe 2356 Adadedjq.exe 2356 Adadedjq.exe 2248 Ajkmbo32.exe 2248 Ajkmbo32.exe 2732 Adcakdhn.exe 2732 Adcakdhn.exe 2264 Abhnlqlf.exe 2264 Abhnlqlf.exe 2752 Bplofekp.exe 2752 Bplofekp.exe 2628 Biecoj32.exe 2628 Biecoj32.exe 1656 Bbmggp32.exe 1656 Bbmggp32.exe 2196 Bpahad32.exe 2196 Bpahad32.exe 2888 Blhifemo.exe 2888 Blhifemo.exe 2344 Boiagp32.exe 2344 Boiagp32.exe 1620 Chccfe32.exe 1620 Chccfe32.exe 2984 Ccmcfc32.exe 2984 Ccmcfc32.exe 2060 Cdlppf32.exe 2060 Cdlppf32.exe 2820 Cgmiba32.exe 2820 Cgmiba32.exe 2224 Dbgjbo32.exe 2224 Dbgjbo32.exe 964 Dokjlcjh.exe 964 Dokjlcjh.exe 1332 Domgache.exe 1332 Domgache.exe 2204 Dheljhof.exe 2204 Dheljhof.exe 1996 Dhhhphmc.exe 1996 Dhhhphmc.exe 2300 Dbpmin32.exe 2300 Dbpmin32.exe 360 Egmeadbk.exe 360 Egmeadbk.exe 836 Edafjiqe.exe 836 Edafjiqe.exe 1160 Ejnnbpol.exe 1160 Ejnnbpol.exe 1696 Ecfcle32.exe 1696 Ecfcle32.exe 2976 Eickdlcd.exe 2976 Eickdlcd.exe 2368 Echpaecj.exe 2368 Echpaecj.exe 2712 Emadjj32.exe 2712 Emadjj32.exe 2652 Fijadk32.exe 2652 Fijadk32.exe 2692 Feqbilcq.exe 2692 Feqbilcq.exe 1064 Fjpggb32.exe 1064 Fjpggb32.exe 2276 Fdhlphff.exe 2276 Fdhlphff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fnleqj32.exe Fgbmdphe.exe File created C:\Windows\SysWOW64\Nbpfence.dll Ekacnjfp.exe File created C:\Windows\SysWOW64\Pcmqnddq.dll Dlajdpoc.exe File opened for modification C:\Windows\SysWOW64\Engpfgql.exe Egmhjm32.exe File created C:\Windows\SysWOW64\Njddec32.dll Gecmghkm.exe File opened for modification C:\Windows\SysWOW64\Ilbknd32.exe Ifecen32.exe File created C:\Windows\SysWOW64\Koggin32.dll Gkbplepn.exe File opened for modification C:\Windows\SysWOW64\Mhbakmgg.exe Mmlmmdga.exe File opened for modification C:\Windows\SysWOW64\Bhdpjaga.exe Bbhgbj32.exe File created C:\Windows\SysWOW64\Dcofqphi.exe Dclikp32.exe File created C:\Windows\SysWOW64\Nimflk32.dll Ffomjgoj.exe File created C:\Windows\SysWOW64\Dobcekld.exe Dgkkdnkb.exe File created C:\Windows\SysWOW64\Cmieca32.dll Gfnpek32.exe File opened for modification C:\Windows\SysWOW64\Hjiiemaj.exe Hdpqhc32.exe File opened for modification C:\Windows\SysWOW64\Jdklcebk.exe Jnadfk32.exe File created C:\Windows\SysWOW64\Kbedmedg.exe Jkklpk32.exe File opened for modification C:\Windows\SysWOW64\Kbljmd32.exe Kgffpk32.exe File opened for modification C:\Windows\SysWOW64\Okbgkk32.exe Ohdkop32.exe File created C:\Windows\SysWOW64\Caligc32.exe Conmkh32.exe File created C:\Windows\SysWOW64\Cojfkela.dll Aoqjhiie.exe File created C:\Windows\SysWOW64\Gdlplb32.exe Gbmdpg32.exe File created C:\Windows\SysWOW64\Edopja32.dll Kooimpao.exe File opened for modification C:\Windows\SysWOW64\Dheljhof.exe Domgache.exe File created C:\Windows\SysWOW64\Bibkoabk.dll Dheljhof.exe File created C:\Windows\SysWOW64\Naadlp32.dll Hldldq32.exe File created C:\Windows\SysWOW64\Mfjaknoe.exe Lmbmbi32.exe File created C:\Windows\SysWOW64\Hanenoeh.exe Hlamfh32.exe File created C:\Windows\SysWOW64\Hdonpjbi.exe Hobfgcdb.exe File created C:\Windows\SysWOW64\Ekacnjfp.exe Edgkap32.exe File created C:\Windows\SysWOW64\Pgnmjokn.exe Pgkqeo32.exe File created C:\Windows\SysWOW64\Pgnpcg32.exe Phibbk32.exe File created C:\Windows\SysWOW64\Adcakdhn.exe Ajkmbo32.exe File created C:\Windows\SysWOW64\Ffogha32.dll Fdhlphff.exe File created C:\Windows\SysWOW64\Mhbakmgg.exe Mmlmmdga.exe File opened for modification C:\Windows\SysWOW64\Nihgndip.exe Ncnoaj32.exe File created C:\Windows\SysWOW64\Bgdinmof.dll Bjbelf32.exe File opened for modification C:\Windows\SysWOW64\Dalffg32.exe Dhcanahm.exe File opened for modification C:\Windows\SysWOW64\Fdcahdib.exe Fniikj32.exe File created C:\Windows\SysWOW64\Gpdhiaoi.exe Gjgpqjqa.exe File created C:\Windows\SysWOW64\Okbgkk32.exe Ohdkop32.exe File created C:\Windows\SysWOW64\Maaiimhq.dll Jlckoh32.exe File opened for modification C:\Windows\SysWOW64\Pqcncnpe.exe Pjiffd32.exe File created C:\Windows\SysWOW64\Klnkgjif.dll Bjphff32.exe File created C:\Windows\SysWOW64\Medlbh32.dll Lqfbbh32.exe File created C:\Windows\SysWOW64\Fbphedgp.dll Hanenoeh.exe File created C:\Windows\SysWOW64\Blfnin32.exe Bfifqg32.exe File opened for modification C:\Windows\SysWOW64\Iblcjohm.exe Ilbknd32.exe File created C:\Windows\SysWOW64\Oljbil32.exe Oepjmbka.exe File created C:\Windows\SysWOW64\Ifecen32.exe Idffib32.exe File opened for modification C:\Windows\SysWOW64\Hakani32.exe Gffmqq32.exe File created C:\Windows\SysWOW64\Iegjnkod.exe Ikafpbon.exe File opened for modification C:\Windows\SysWOW64\Lfkhed32.exe Lgekdh32.exe File opened for modification C:\Windows\SysWOW64\Oodejhfg.exe Ohjmnn32.exe File created C:\Windows\SysWOW64\Ajceba32.dll Nijdcdgn.exe File created C:\Windows\SysWOW64\Pojmiihd.dll Oodejhfg.exe File opened for modification C:\Windows\SysWOW64\Ajnlqgfo.exe Acdcdm32.exe File created C:\Windows\SysWOW64\Bbkmki32.exe Bajqcqli.exe File created C:\Windows\SysWOW64\Hdpqhc32.exe Hmehlibq.exe File opened for modification C:\Windows\SysWOW64\Iihhmhng.exe Ibnppn32.exe File created C:\Windows\SysWOW64\Joijpo32.exe Jgbboa32.exe File created C:\Windows\SysWOW64\Clnjal32.dll Fccncknc.exe File created C:\Windows\SysWOW64\Pmoiknoh.dll Domgache.exe File created C:\Windows\SysWOW64\Oqfeda32.exe Ofaaghom.exe File opened for modification C:\Windows\SysWOW64\Amalcd32.exe Qakkncmi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1064 2204 WerFault.exe 508 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehidp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjqinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgmbnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhlilip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcajekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkeppngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhhdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpqhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphokhco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmklbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkhbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adadedjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfljpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogqpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Depelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeaaboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgibeklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbmdphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbfpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idffib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmkciap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aooaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbboa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkqeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgqbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffomjgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emadjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoqjhiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnchjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmicnhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecmghkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgahcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfifqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coofoghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanenoeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engpfgql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogodcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaeokg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldgdpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeglg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbbidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okefjcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibmglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caligc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiablido.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgknffcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoqbi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpnchjpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Echpaecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahpfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgjnpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dalffg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knocpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogqihmh.dll" Ilianckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpahad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmcjldbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhcil32.dll" Ejcjfgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdadbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmieca32.dll" Gfnpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hakani32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egbaelej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blhifemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dheljhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmcmomjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgnmjokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmghppe.dll" Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdlppf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oagkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapcee32.dll" Blkgdmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clcjjimp.dll" Nogodcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gphokhco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abodlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfanfg32.dll" Mgkncfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoacek32.dll" Hjbljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncnoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgfpoimj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iihhmhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knocpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiedlhj.dll" Dcmkciap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollkojil.dll" Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphqle32.dll" Gaokhdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahkggfo.dll" Bnojpdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Londmb32.dll" Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljegpof.dll" Ccbojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nihjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgnpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fijadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdedejnm.dll" Hgknffcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aigkfhbp.dll" Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpci32.dll" Mmojcceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qakkncmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fglkeaqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gepgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffomjgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plpehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdccjgcl.dll" Begegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gajlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nogmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekcmkamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nchkjhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahfoa32.dll" Depelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oafmnb32.dll" Dgkkdnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmmaoq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 904 wrote to memory of 2356 904 ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe 29 PID 904 wrote to memory of 2356 904 ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe 29 PID 904 wrote to memory of 2356 904 ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe 29 PID 904 wrote to memory of 2356 904 ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe 29 PID 2356 wrote to memory of 2248 2356 Adadedjq.exe 30 PID 2356 wrote to memory of 2248 2356 Adadedjq.exe 30 PID 2356 wrote to memory of 2248 2356 Adadedjq.exe 30 PID 2356 wrote to memory of 2248 2356 Adadedjq.exe 30 PID 2248 wrote to memory of 2732 2248 Ajkmbo32.exe 31 PID 2248 wrote to memory of 2732 2248 Ajkmbo32.exe 31 PID 2248 wrote to memory of 2732 2248 Ajkmbo32.exe 31 PID 2248 wrote to memory of 2732 2248 Ajkmbo32.exe 31 PID 2732 wrote to memory of 2264 2732 Adcakdhn.exe 32 PID 2732 wrote to memory of 2264 2732 Adcakdhn.exe 32 PID 2732 wrote to memory of 2264 2732 Adcakdhn.exe 32 PID 2732 wrote to memory of 2264 2732 Adcakdhn.exe 32 PID 2264 wrote to memory of 2752 2264 Abhnlqlf.exe 33 PID 2264 wrote to memory of 2752 2264 Abhnlqlf.exe 33 PID 2264 wrote to memory of 2752 2264 Abhnlqlf.exe 33 PID 2264 wrote to memory of 2752 2264 Abhnlqlf.exe 33 PID 2752 wrote to memory of 2628 2752 Bplofekp.exe 34 PID 2752 wrote to memory of 2628 2752 Bplofekp.exe 34 PID 2752 wrote to memory of 2628 2752 Bplofekp.exe 34 PID 2752 wrote to memory of 2628 2752 Bplofekp.exe 34 PID 2628 wrote to memory of 1656 2628 Biecoj32.exe 35 PID 2628 wrote to memory of 1656 2628 Biecoj32.exe 35 PID 2628 wrote to memory of 1656 2628 Biecoj32.exe 35 PID 2628 wrote to memory of 1656 2628 Biecoj32.exe 35 PID 1656 wrote to memory of 2196 1656 Bbmggp32.exe 36 PID 1656 wrote to memory of 2196 1656 Bbmggp32.exe 36 PID 1656 wrote to memory of 2196 1656 Bbmggp32.exe 36 PID 1656 wrote to memory of 2196 1656 Bbmggp32.exe 36 PID 2196 wrote to memory of 2888 2196 Bpahad32.exe 37 PID 2196 wrote to memory of 2888 2196 Bpahad32.exe 37 PID 2196 wrote to memory of 2888 2196 Bpahad32.exe 37 PID 2196 wrote to memory of 2888 2196 Bpahad32.exe 37 PID 2888 wrote to memory of 2344 2888 Blhifemo.exe 38 PID 2888 wrote to memory of 2344 2888 Blhifemo.exe 38 PID 2888 wrote to memory of 2344 2888 Blhifemo.exe 38 PID 2888 wrote to memory of 2344 2888 Blhifemo.exe 38 PID 2344 wrote to memory of 1620 2344 Boiagp32.exe 39 PID 2344 wrote to memory of 1620 2344 Boiagp32.exe 39 PID 2344 wrote to memory of 1620 2344 Boiagp32.exe 39 PID 2344 wrote to memory of 1620 2344 Boiagp32.exe 39 PID 1620 wrote to memory of 2984 1620 Chccfe32.exe 40 PID 1620 wrote to memory of 2984 1620 Chccfe32.exe 40 PID 1620 wrote to memory of 2984 1620 Chccfe32.exe 40 PID 1620 wrote to memory of 2984 1620 Chccfe32.exe 40 PID 2984 wrote to memory of 2060 2984 Ccmcfc32.exe 41 PID 2984 wrote to memory of 2060 2984 Ccmcfc32.exe 41 PID 2984 wrote to memory of 2060 2984 Ccmcfc32.exe 41 PID 2984 wrote to memory of 2060 2984 Ccmcfc32.exe 41 PID 2060 wrote to memory of 2820 2060 Cdlppf32.exe 42 PID 2060 wrote to memory of 2820 2060 Cdlppf32.exe 42 PID 2060 wrote to memory of 2820 2060 Cdlppf32.exe 42 PID 2060 wrote to memory of 2820 2060 Cdlppf32.exe 42 PID 2820 wrote to memory of 2224 2820 Cgmiba32.exe 43 PID 2820 wrote to memory of 2224 2820 Cgmiba32.exe 43 PID 2820 wrote to memory of 2224 2820 Cgmiba32.exe 43 PID 2820 wrote to memory of 2224 2820 Cgmiba32.exe 43 PID 2224 wrote to memory of 964 2224 Dbgjbo32.exe 44 PID 2224 wrote to memory of 964 2224 Dbgjbo32.exe 44 PID 2224 wrote to memory of 964 2224 Dbgjbo32.exe 44 PID 2224 wrote to memory of 964 2224 Dbgjbo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe"C:\Users\Admin\AppData\Local\Temp\ac9196f9d8afdf1e8c55a4d5cc5c04176e04ace0df136527f24ea0d2beaebb56N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Bbmggp32.exeC:\Windows\system32\Bbmggp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Dhhhphmc.exeC:\Windows\system32\Dhhhphmc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360 -
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Feqbilcq.exeC:\Windows\system32\Feqbilcq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe33⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe36⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe37⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe38⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe40⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Gphokhco.exeC:\Windows\system32\Gphokhco.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Gajlcp32.exeC:\Windows\system32\Gajlcp32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe44⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe49⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe50⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe53⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe54⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jjgbbc32.exeC:\Windows\system32\Jjgbbc32.exe55⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe58⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe60⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe61⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Kgffpk32.exeC:\Windows\system32\Kgffpk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe64⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe67⤵PID:828
-
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe68⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe69⤵PID:2684
-
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe70⤵PID:1604
-
C:\Windows\SysWOW64\Lmjdia32.exeC:\Windows\system32\Lmjdia32.exe71⤵PID:2160
-
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe73⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe74⤵PID:1700
-
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe75⤵PID:2524
-
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe76⤵PID:2864
-
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe77⤵PID:2568
-
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe79⤵PID:1744
-
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe80⤵PID:2232
-
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe81⤵PID:844
-
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe82⤵PID:1768
-
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe83⤵PID:2408
-
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe84⤵PID:1392
-
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe86⤵PID:2496
-
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe87⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe88⤵PID:2852
-
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe89⤵PID:2108
-
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe90⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Ncnoaj32.exeC:\Windows\system32\Ncnoaj32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe93⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe94⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe95⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe97⤵PID:1548
-
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe98⤵PID:1612
-
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe99⤵PID:1528
-
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe100⤵PID:1260
-
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe102⤵PID:880
-
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe103⤵PID:2988
-
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe105⤵PID:2596
-
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe106⤵PID:2796
-
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe107⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe109⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe110⤵PID:684
-
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe111⤵PID:276
-
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe112⤵PID:1852
-
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe113⤵PID:972
-
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe114⤵PID:2476
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe115⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe117⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe118⤵PID:2800
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe119⤵PID:2956
-
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe121⤵PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-