Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 19:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe
-
Size
109KB
-
MD5
b84457ea677ab04559e45ffd3839c82c
-
SHA1
e64731fe650b46f20c3ff1b2e0cac3f646c2b962
-
SHA256
20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a
-
SHA512
ff118ad0f495b581c4dc9389cdb658181a59c8f340c41033a1acee7c63f16e5afe156a2ea3dffe22270ea0d2e52f0fb7cf2af74e30fda7a80dd5de31548c4c12
-
SSDEEP
3072:GuHYvfgQsdyLfUGaN8fo3PXl9Z7S/yCsKh2EzZA/z:dHE9/aNgo35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmpplh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpoofm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakglf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cppakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glomllkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppdlgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckchcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihnkejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffjng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecbkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knoaeimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkhag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbdfni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okkddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacefpbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlaomae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epipql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Monjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebnigmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lepclldc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcddlnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icabeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgfkchmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekdpkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajapoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehaolpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjhnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkioeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqkalenn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngqeha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbffjmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkepnalk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdfemkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbkaneao.exe -
Executes dropped EXE 64 IoCs
pid Process 2796 Kppldhla.exe 2716 Klfmijae.exe 2528 Klkfdi32.exe 2684 Llpoohik.exe 1680 Lkelpd32.exe 1292 Laodmoep.exe 2108 Lcdjpfgh.exe 2236 Mpkhoj32.exe 2200 Mlahdkjc.exe 2160 Ofaolcmh.exe 524 Obhpad32.exe 2184 Pflbpg32.exe 2300 Pjjkfe32.exe 1268 Pefhlcdk.exe 1540 Phgannal.exe 1068 Anecfgdc.exe 3000 Adblnnbk.exe 2052 Abjeejep.exe 2928 Apnfno32.exe 1480 Boeoek32.exe 868 Blkmdodf.exe 2652 Bggjjlnb.exe 1584 Cppobaeb.exe 2384 Cnflae32.exe 2776 Cfaqfh32.exe 2748 Cbjnqh32.exe 2632 Dlpbna32.exe 2544 Ddmchcnd.exe 324 Dochelmj.exe 2032 Djmiejji.exe 1044 Ddbmcb32.exe 2640 Eddjhb32.exe 1920 Empomd32.exe 2340 Eqngcc32.exe 520 Efjpkj32.exe 320 Ekghcq32.exe 1868 Eikimeff.exe 2360 Einebddd.exe 2104 Faijggao.exe 2084 Fakglf32.exe 544 Flqkjo32.exe 2000 Fnogfk32.exe 1792 Fdlpnamm.exe 2308 Fdnlcakk.exe 3048 Fmfalg32.exe 1072 Fdqiiaih.exe 2984 Gminbfoh.exe 2040 Gbffjmmp.exe 2812 Golgon32.exe 2828 Glpgibbn.exe 2592 Gampaipe.exe 2600 Ghghnc32.exe 1696 Gekhgh32.exe 1760 Ghidcceo.exe 2020 Habili32.exe 1476 Hkjnenbp.exe 2468 Hadfah32.exe 1708 Hkmjjn32.exe 1732 Hgckoofa.exe 2368 Hjddaj32.exe 1772 Hghdjn32.exe 1972 Ilemce32.exe 1912 Iemalkgd.exe 316 Icabeo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe 2248 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe 2796 Kppldhla.exe 2796 Kppldhla.exe 2716 Klfmijae.exe 2716 Klfmijae.exe 2528 Klkfdi32.exe 2528 Klkfdi32.exe 2684 Llpoohik.exe 2684 Llpoohik.exe 1680 Lkelpd32.exe 1680 Lkelpd32.exe 1292 Laodmoep.exe 1292 Laodmoep.exe 2108 Lcdjpfgh.exe 2108 Lcdjpfgh.exe 2236 Mpkhoj32.exe 2236 Mpkhoj32.exe 2200 Mlahdkjc.exe 2200 Mlahdkjc.exe 2160 Ofaolcmh.exe 2160 Ofaolcmh.exe 524 Obhpad32.exe 524 Obhpad32.exe 2184 Pflbpg32.exe 2184 Pflbpg32.exe 2300 Pjjkfe32.exe 2300 Pjjkfe32.exe 1268 Pefhlcdk.exe 1268 Pefhlcdk.exe 1540 Phgannal.exe 1540 Phgannal.exe 1068 Anecfgdc.exe 1068 Anecfgdc.exe 3000 Adblnnbk.exe 3000 Adblnnbk.exe 2052 Abjeejep.exe 2052 Abjeejep.exe 2928 Apnfno32.exe 2928 Apnfno32.exe 1480 Boeoek32.exe 1480 Boeoek32.exe 868 Blkmdodf.exe 868 Blkmdodf.exe 2652 Bggjjlnb.exe 2652 Bggjjlnb.exe 1584 Cppobaeb.exe 1584 Cppobaeb.exe 2384 Cnflae32.exe 2384 Cnflae32.exe 2776 Cfaqfh32.exe 2776 Cfaqfh32.exe 2748 Cbjnqh32.exe 2748 Cbjnqh32.exe 2632 Dlpbna32.exe 2632 Dlpbna32.exe 2544 Ddmchcnd.exe 2544 Ddmchcnd.exe 324 Dochelmj.exe 324 Dochelmj.exe 2032 Djmiejji.exe 2032 Djmiejji.exe 1044 Ddbmcb32.exe 1044 Ddbmcb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbjhhm32.dll Omqjgl32.exe File created C:\Windows\SysWOW64\Imcfjg32.exe Hdkaabnh.exe File opened for modification C:\Windows\SysWOW64\Cipleo32.exe Ccecheeb.exe File created C:\Windows\SysWOW64\Dhfljfho.dll Faijggao.exe File opened for modification C:\Windows\SysWOW64\Ojpaeq32.exe Odcimipf.exe File created C:\Windows\SysWOW64\Abhnddbn.dll 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe File created C:\Windows\SysWOW64\Oogiha32.exe Oikapk32.exe File created C:\Windows\SysWOW64\Ohjmlaci.exe Okfmbm32.exe File opened for modification C:\Windows\SysWOW64\Phgannal.exe Pefhlcdk.exe File created C:\Windows\SysWOW64\Bgjond32.dll Djmiejji.exe File created C:\Windows\SysWOW64\Pajeanhf.exe Pnkiebib.exe File created C:\Windows\SysWOW64\Aemmee32.dll Qmepanje.exe File created C:\Windows\SysWOW64\Dcmpcjcf.exe Dckcnj32.exe File opened for modification C:\Windows\SysWOW64\Ialadj32.exe Ieeqpi32.exe File created C:\Windows\SysWOW64\Iekgod32.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Ghidcceo.exe Gekhgh32.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hadfah32.exe File opened for modification C:\Windows\SysWOW64\Lnnndl32.exe Liaeleak.exe File created C:\Windows\SysWOW64\Gjdhaj32.dll Bhbpahan.exe File created C:\Windows\SysWOW64\Kkckblgq.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Qojagi32.dll Gampaipe.exe File created C:\Windows\SysWOW64\Bikfklni.exe Bneancnc.exe File created C:\Windows\SysWOW64\Hmfmoo32.dll Ihlpqonl.exe File created C:\Windows\SysWOW64\Klalgq32.dll Klkfdi32.exe File created C:\Windows\SysWOW64\Oaomng32.dll Ehgaknbp.exe File opened for modification C:\Windows\SysWOW64\Eqngcc32.exe Empomd32.exe File created C:\Windows\SysWOW64\Iomgfhen.dll Fnogfk32.exe File opened for modification C:\Windows\SysWOW64\Kmfklepl.exe Kqokgd32.exe File created C:\Windows\SysWOW64\Idkbii32.dll Pkepnalk.exe File opened for modification C:\Windows\SysWOW64\Enhcnd32.exe Edpoeoea.exe File opened for modification C:\Windows\SysWOW64\Nanhihno.exe Ndjhpcoe.exe File opened for modification C:\Windows\SysWOW64\Hkjnenbp.exe Habili32.exe File opened for modification C:\Windows\SysWOW64\Jqbbhg32.exe Jgjmoace.exe File created C:\Windows\SysWOW64\Manjaldo.exe Lepclldc.exe File opened for modification C:\Windows\SysWOW64\Ogdaod32.exe Ojpaeq32.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Ockbdebl.exe File created C:\Windows\SysWOW64\Dmknff32.dll Aeenapck.exe File created C:\Windows\SysWOW64\Nahfkigd.exe Nmjmekan.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Ooemcb32.exe Ogjhnp32.exe File opened for modification C:\Windows\SysWOW64\Pmkfqind.exe Pnfipm32.exe File opened for modification C:\Windows\SysWOW64\Jojnglco.exe Jhqeka32.exe File created C:\Windows\SysWOW64\Kfadkk32.dll Einebddd.exe File created C:\Windows\SysWOW64\Kacclb32.dll Bgdfjfmi.exe File opened for modification C:\Windows\SysWOW64\Fdlpnamm.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Qgfkchmp.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Kopnma32.exe Knoaeimg.exe File created C:\Windows\SysWOW64\Enhcnd32.exe Edpoeoea.exe File created C:\Windows\SysWOW64\Gcchgini.exe Gllpflng.exe File created C:\Windows\SysWOW64\Mnpfkfcn.dll Johaalea.exe File created C:\Windows\SysWOW64\Gaejddnk.dll Migdig32.exe File created C:\Windows\SysWOW64\Blkmdodf.exe Boeoek32.exe File opened for modification C:\Windows\SysWOW64\Fakglf32.exe Faijggao.exe File created C:\Windows\SysWOW64\Ogdaod32.exe Ojpaeq32.exe File created C:\Windows\SysWOW64\Poacighp.exe Ojdjqp32.exe File created C:\Windows\SysWOW64\Ndjhjkfi.dll Anpooe32.exe File created C:\Windows\SysWOW64\Gagmjgmm.dll Ikicikap.exe File created C:\Windows\SysWOW64\Hiohip32.dll Lmnkpc32.exe File created C:\Windows\SysWOW64\Oaqejn32.dll Flqkjo32.exe File opened for modification C:\Windows\SysWOW64\Fmfalg32.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Pbjkop32.exe Pibgfjdh.exe File opened for modification C:\Windows\SysWOW64\Apnfno32.exe Abjeejep.exe File created C:\Windows\SysWOW64\Ockbdebl.exe Omqjgl32.exe File opened for modification C:\Windows\SysWOW64\Mejoei32.exe Moqgiopk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4820 4744 WerFault.exe 382 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockdmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdciiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaolpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilifndlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncloha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imcfjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnalcqpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkckblgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgilnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dleelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilemce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbpahan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjlmjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkhoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bneancnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdihmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihnkejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqkalenn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckflc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakpiajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghidcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmoppefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjilde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmekpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomphm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllpflng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoajgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqgiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcenmcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manjaldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcqebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbhhnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkaabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejiadgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibmep32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhoogoe.dll" Ikapdqoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddbolkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmlljbm.dll" Jpqgkpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfaqfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gminbfoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfnkji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceihc32.dll" Oknjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqonejfa.dll" Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlmjnop.dll" Idghhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkdmi32.dll" Cllkkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhaikja.dll" Mgoaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dckcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmoeong.dll" Befpkmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfjjkhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pibgfjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qekdpkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddbolkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedmnimd.dll" Fnoiocfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deafohkc.dll" Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgqhgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinqgg32.dll" Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgcciach.dll" Jjmcfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ockbdebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakahn32.dll" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomgfhen.dll" Fnogfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idghhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idmnga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnalcqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnciiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll" Dlpbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoqcpkl.dll" Pmkfqind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgefap32.dll" Jkioho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlnkheo.dll" Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpqgkpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idmnga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqgchlio.dll" Fdqiiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnlaomae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogjhnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadmjo32.dll" Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjghbbmo.dll" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll" Nkqjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpqof32.dll" Gbkaneao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejohemh.dll" Akjfhdka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajapoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiamkii.dll" Ckchcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aapnli32.dll" Cihedpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkfhglen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2796 2248 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe 30 PID 2248 wrote to memory of 2796 2248 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe 30 PID 2248 wrote to memory of 2796 2248 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe 30 PID 2248 wrote to memory of 2796 2248 20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe 30 PID 2796 wrote to memory of 2716 2796 Kppldhla.exe 31 PID 2796 wrote to memory of 2716 2796 Kppldhla.exe 31 PID 2796 wrote to memory of 2716 2796 Kppldhla.exe 31 PID 2796 wrote to memory of 2716 2796 Kppldhla.exe 31 PID 2716 wrote to memory of 2528 2716 Klfmijae.exe 32 PID 2716 wrote to memory of 2528 2716 Klfmijae.exe 32 PID 2716 wrote to memory of 2528 2716 Klfmijae.exe 32 PID 2716 wrote to memory of 2528 2716 Klfmijae.exe 32 PID 2528 wrote to memory of 2684 2528 Klkfdi32.exe 33 PID 2528 wrote to memory of 2684 2528 Klkfdi32.exe 33 PID 2528 wrote to memory of 2684 2528 Klkfdi32.exe 33 PID 2528 wrote to memory of 2684 2528 Klkfdi32.exe 33 PID 2684 wrote to memory of 1680 2684 Llpoohik.exe 34 PID 2684 wrote to memory of 1680 2684 Llpoohik.exe 34 PID 2684 wrote to memory of 1680 2684 Llpoohik.exe 34 PID 2684 wrote to memory of 1680 2684 Llpoohik.exe 34 PID 1680 wrote to memory of 1292 1680 Lkelpd32.exe 35 PID 1680 wrote to memory of 1292 1680 Lkelpd32.exe 35 PID 1680 wrote to memory of 1292 1680 Lkelpd32.exe 35 PID 1680 wrote to memory of 1292 1680 Lkelpd32.exe 35 PID 1292 wrote to memory of 2108 1292 Laodmoep.exe 36 PID 1292 wrote to memory of 2108 1292 Laodmoep.exe 36 PID 1292 wrote to memory of 2108 1292 Laodmoep.exe 36 PID 1292 wrote to memory of 2108 1292 Laodmoep.exe 36 PID 2108 wrote to memory of 2236 2108 Lcdjpfgh.exe 37 PID 2108 wrote to memory of 2236 2108 Lcdjpfgh.exe 37 PID 2108 wrote to memory of 2236 2108 Lcdjpfgh.exe 37 PID 2108 wrote to memory of 2236 2108 Lcdjpfgh.exe 37 PID 2236 wrote to memory of 2200 2236 Mpkhoj32.exe 38 PID 2236 wrote to memory of 2200 2236 Mpkhoj32.exe 38 PID 2236 wrote to memory of 2200 2236 Mpkhoj32.exe 38 PID 2236 wrote to memory of 2200 2236 Mpkhoj32.exe 38 PID 2200 wrote to memory of 2160 2200 Mlahdkjc.exe 39 PID 2200 wrote to memory of 2160 2200 Mlahdkjc.exe 39 PID 2200 wrote to memory of 2160 2200 Mlahdkjc.exe 39 PID 2200 wrote to memory of 2160 2200 Mlahdkjc.exe 39 PID 2160 wrote to memory of 524 2160 Ofaolcmh.exe 40 PID 2160 wrote to memory of 524 2160 Ofaolcmh.exe 40 PID 2160 wrote to memory of 524 2160 Ofaolcmh.exe 40 PID 2160 wrote to memory of 524 2160 Ofaolcmh.exe 40 PID 524 wrote to memory of 2184 524 Obhpad32.exe 41 PID 524 wrote to memory of 2184 524 Obhpad32.exe 41 PID 524 wrote to memory of 2184 524 Obhpad32.exe 41 PID 524 wrote to memory of 2184 524 Obhpad32.exe 41 PID 2184 wrote to memory of 2300 2184 Pflbpg32.exe 42 PID 2184 wrote to memory of 2300 2184 Pflbpg32.exe 42 PID 2184 wrote to memory of 2300 2184 Pflbpg32.exe 42 PID 2184 wrote to memory of 2300 2184 Pflbpg32.exe 42 PID 2300 wrote to memory of 1268 2300 Pjjkfe32.exe 43 PID 2300 wrote to memory of 1268 2300 Pjjkfe32.exe 43 PID 2300 wrote to memory of 1268 2300 Pjjkfe32.exe 43 PID 2300 wrote to memory of 1268 2300 Pjjkfe32.exe 43 PID 1268 wrote to memory of 1540 1268 Pefhlcdk.exe 44 PID 1268 wrote to memory of 1540 1268 Pefhlcdk.exe 44 PID 1268 wrote to memory of 1540 1268 Pefhlcdk.exe 44 PID 1268 wrote to memory of 1540 1268 Pefhlcdk.exe 44 PID 1540 wrote to memory of 1068 1540 Phgannal.exe 45 PID 1540 wrote to memory of 1068 1540 Phgannal.exe 45 PID 1540 wrote to memory of 1068 1540 Phgannal.exe 45 PID 1540 wrote to memory of 1068 1540 Phgannal.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe"C:\Users\Admin\AppData\Local\Temp\20a9da29591c786ebf2d42b4fde052cdf317e4ad073433ca951e32d3fffeed3a.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe35⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:520 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe44⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe46⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe51⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe53⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe57⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe59⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe60⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe61⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe62⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe64⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe66⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe67⤵PID:2460
-
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe68⤵PID:3052
-
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe70⤵
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe71⤵PID:2756
-
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe72⤵PID:3008
-
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe73⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe74⤵PID:2744
-
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe75⤵PID:2080
-
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe77⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe79⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe80⤵PID:1980
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe81⤵PID:2484
-
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe83⤵PID:2456
-
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe84⤵PID:880
-
C:\Windows\SysWOW64\Ongckp32.exeC:\Windows\system32\Ongckp32.exe85⤵PID:772
-
C:\Windows\SysWOW64\Odqlhjbi.exeC:\Windows\system32\Odqlhjbi.exe86⤵PID:1876
-
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe88⤵PID:1728
-
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe89⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe90⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe92⤵PID:2204
-
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe95⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Poacighp.exeC:\Windows\system32\Poacighp.exe96⤵PID:2844
-
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe97⤵PID:2660
-
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe99⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe100⤵PID:648
-
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe101⤵
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe102⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe104⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe108⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe109⤵PID:436
-
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe110⤵PID:2172
-
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe111⤵PID:2388
-
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe112⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe113⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe114⤵PID:2268
-
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe115⤵PID:2912
-
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe119⤵PID:2092
-
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-