Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 03:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe
-
Size
391KB
-
MD5
c27e9b30eb374f96e1e037690062c0aa
-
SHA1
742f5d08c49826622bd06d0f32d3786f1ea74bff
-
SHA256
ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8
-
SHA512
c9261ff63f9b897f007125ded3bbbb4d2fcd2c466e697510d397adab760aa4ffa6060bea4d6fcb47feab590ae71deb968e5be3dde8253bbfbd3bede24ddf003c
-
SSDEEP
6144:l4HBYUD6aAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL:qqjmNtuhUNP3cOK3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklikj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebnic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdjalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cceapl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmdjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepbmhpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkhpadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndafcmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjpaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojnql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccoeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjfphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiebnjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enmnahnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nffccejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldkdckff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjilmejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oielnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blipno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apefjqob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llgljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paggce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphhka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efppqoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boobki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oggeokoq.exe -
Executes dropped EXE 64 IoCs
pid Process 2892 Bcbfbp32.exe 2768 Bfabnl32.exe 2796 Bqmpdioa.exe 2532 Bbllnlfd.exe 2968 Cmfmojcb.exe 1492 Cfoaho32.exe 2356 Cmkfji32.exe 1688 Cfckcoen.exe 1076 Cidddj32.exe 1256 Dekdikhc.exe 3020 Dboeco32.exe 1952 Dihmpinj.exe 2200 Djlfma32.exe 2504 Dafoikjb.exe 2856 Emoldlmc.exe 1732 Eppefg32.exe 2296 Eoebgcol.exe 1588 Efljhq32.exe 2240 Elibpg32.exe 1260 Eimcjl32.exe 1020 Feddombd.exe 1036 Flnlkgjq.exe 2148 Fdiqpigl.exe 2540 Fggmldfp.exe 2736 Fhgifgnb.exe 2740 Fihfnp32.exe 2560 Faonom32.exe 2564 Fmfocnjg.exe 2972 Fpdkpiik.exe 2088 Gmhkin32.exe 2400 Ggapbcne.exe 2300 Gcgqgd32.exe 1040 Gefmcp32.exe 2016 Gonale32.exe 1736 Gehiioaj.exe 532 Goqnae32.exe 1652 Gaojnq32.exe 2212 Gkgoff32.exe 3028 Gaagcpdl.exe 1128 Hkjkle32.exe 2412 Hnhgha32.exe 2464 Hgqlafap.exe 1980 Hnkdnqhm.exe 1908 Hmpaom32.exe 2684 Honnki32.exe 1248 Hgeelf32.exe 296 Hjcaha32.exe 2900 Hqnjek32.exe 2804 Hfjbmb32.exe 2556 Hmdkjmip.exe 2648 Iocgfhhc.exe 2160 Ifmocb32.exe 2164 Iikkon32.exe 756 Ioeclg32.exe 1016 Ibcphc32.exe 1032 Iinhdmma.exe 1780 Iogpag32.exe 2352 Iaimipjl.exe 2196 Ijaaae32.exe 1556 Ibhicbao.exe 1988 Iegeonpc.exe 2004 Igebkiof.exe 1312 Inojhc32.exe 2216 Ieibdnnp.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe 2364 ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe 2892 Bcbfbp32.exe 2892 Bcbfbp32.exe 2768 Bfabnl32.exe 2768 Bfabnl32.exe 2796 Bqmpdioa.exe 2796 Bqmpdioa.exe 2532 Bbllnlfd.exe 2532 Bbllnlfd.exe 2968 Cmfmojcb.exe 2968 Cmfmojcb.exe 1492 Cfoaho32.exe 1492 Cfoaho32.exe 2356 Cmkfji32.exe 2356 Cmkfji32.exe 1688 Cfckcoen.exe 1688 Cfckcoen.exe 1076 Cidddj32.exe 1076 Cidddj32.exe 1256 Dekdikhc.exe 1256 Dekdikhc.exe 3020 Dboeco32.exe 3020 Dboeco32.exe 1952 Dihmpinj.exe 1952 Dihmpinj.exe 2200 Djlfma32.exe 2200 Djlfma32.exe 2504 Dafoikjb.exe 2504 Dafoikjb.exe 2856 Emoldlmc.exe 2856 Emoldlmc.exe 1732 Eppefg32.exe 1732 Eppefg32.exe 2296 Eoebgcol.exe 2296 Eoebgcol.exe 1588 Efljhq32.exe 1588 Efljhq32.exe 2240 Elibpg32.exe 2240 Elibpg32.exe 1260 Eimcjl32.exe 1260 Eimcjl32.exe 1020 Feddombd.exe 1020 Feddombd.exe 1036 Flnlkgjq.exe 1036 Flnlkgjq.exe 2148 Fdiqpigl.exe 2148 Fdiqpigl.exe 2540 Fggmldfp.exe 2540 Fggmldfp.exe 2736 Fhgifgnb.exe 2736 Fhgifgnb.exe 2740 Fihfnp32.exe 2740 Fihfnp32.exe 2560 Faonom32.exe 2560 Faonom32.exe 2564 Fmfocnjg.exe 2564 Fmfocnjg.exe 2972 Fpdkpiik.exe 2972 Fpdkpiik.exe 2088 Gmhkin32.exe 2088 Gmhkin32.exe 2400 Ggapbcne.exe 2400 Ggapbcne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Heqimm32.exe Hcblqb32.exe File opened for modification C:\Windows\SysWOW64\Hajfgnjc.exe Hkpnjd32.exe File opened for modification C:\Windows\SysWOW64\Kcmdjgbh.exe Kmclmm32.exe File created C:\Windows\SysWOW64\Dfaaak32.dll Jmfcop32.exe File created C:\Windows\SysWOW64\Leikbd32.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Dakfkb32.dll Oielnd32.exe File created C:\Windows\SysWOW64\Pmnghfhi.exe Phaoppja.exe File created C:\Windows\SysWOW64\Acbbhobn.dll Dmgoif32.exe File opened for modification C:\Windows\SysWOW64\Nfjildbp.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Blipno32.exe Bhndnpnp.exe File created C:\Windows\SysWOW64\Iidbakdl.dll Cncolfcl.exe File opened for modification C:\Windows\SysWOW64\Eclcon32.exe Embkbdce.exe File created C:\Windows\SysWOW64\Faffik32.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Iegeonpc.exe Ibhicbao.exe File created C:\Windows\SysWOW64\Aekabb32.dll Ibhicbao.exe File opened for modification C:\Windows\SysWOW64\Igpaec32.exe Iqfiii32.exe File opened for modification C:\Windows\SysWOW64\Dccpbd32.dll Bihgmdih.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Imacijjb.exe Iifghk32.exe File opened for modification C:\Windows\SysWOW64\Mhkfnlme.exe Maanab32.exe File opened for modification C:\Windows\SysWOW64\Boobki32.exe Bkcfjk32.exe File opened for modification C:\Windows\SysWOW64\Nbhkmg32.exe Nojnql32.exe File created C:\Windows\SysWOW64\Pppgjnfc.dll Onfabgch.exe File created C:\Windows\SysWOW64\Ccfkja32.dll Cgogealf.exe File created C:\Windows\SysWOW64\Kaholp32.exe Kpfbegei.exe File opened for modification C:\Windows\SysWOW64\Cceapl32.exe Cnhhge32.exe File opened for modification C:\Windows\SysWOW64\Llgljn32.exe Liipnb32.exe File created C:\Windows\SysWOW64\Ckhpejbf.exe Ccqhdmbc.exe File created C:\Windows\SysWOW64\Ghmnljbp.dll Keango32.exe File created C:\Windows\SysWOW64\Jmccgf32.dll Obhpad32.exe File created C:\Windows\SysWOW64\Egpena32.exe Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe Ibhicbao.exe File opened for modification C:\Windows\SysWOW64\Ldbaopdj.exe Ladebd32.exe File created C:\Windows\SysWOW64\Kaihlkop.dll Pilbocej.exe File created C:\Windows\SysWOW64\Inepgn32.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Obffbh32.dll Kjepaa32.exe File created C:\Windows\SysWOW64\Jhgnoe32.dll Nklopg32.exe File created C:\Windows\SysWOW64\Joomjp32.dll Nddcimag.exe File opened for modification C:\Windows\SysWOW64\Ppdfimji.exe Pjhnqfla.exe File created C:\Windows\SysWOW64\Ikaihg32.dll Ibcphc32.exe File opened for modification C:\Windows\SysWOW64\Coafko32.exe Chgnneiq.exe File created C:\Windows\SysWOW64\Dghjkpck.exe Doabjbci.exe File created C:\Windows\SysWOW64\Kidncq32.dll Dijfch32.exe File opened for modification C:\Windows\SysWOW64\Fmlecinf.exe Fiqibj32.exe File created C:\Windows\SysWOW64\Geogecdd.dll Aifjgdkj.exe File created C:\Windows\SysWOW64\Akbieg32.dll Bakaaepk.exe File created C:\Windows\SysWOW64\Hkagib32.dll Ojeakfnd.exe File opened for modification C:\Windows\SysWOW64\Enmnahnm.exe Egcfdn32.exe File created C:\Windows\SysWOW64\Cfckcoen.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Mjfphf32.exe Mkcplien.exe File created C:\Windows\SysWOW64\Ihjpll32.dll Jfjhbo32.exe File opened for modification C:\Windows\SysWOW64\Ndfpnl32.exe Nnlhab32.exe File created C:\Windows\SysWOW64\Deafohkc.dll Onjgkf32.exe File created C:\Windows\SysWOW64\Imogcj32.exe Ijqjgo32.exe File created C:\Windows\SysWOW64\Abhnddbn.dll Kjbclamj.exe File created C:\Windows\SysWOW64\Ojeakfnd.exe Oggeokoq.exe File created C:\Windows\SysWOW64\Dfcllk32.dll Hmdkjmip.exe File created C:\Windows\SysWOW64\Hdbcmcno.dll Qmenhe32.exe File opened for modification C:\Windows\SysWOW64\Blnpddeo.exe Bcflko32.exe File opened for modification C:\Windows\SysWOW64\Cfnkmi32.exe Codbqonk.exe File created C:\Windows\SysWOW64\Ejnjabpb.dll Cnnimkom.exe File created C:\Windows\SysWOW64\Egfdjljo.dll Aiaqle32.exe File created C:\Windows\SysWOW64\Flnndp32.exe Faijggao.exe File opened for modification C:\Windows\SysWOW64\Flcojeak.exe Fiebnjbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5972 6032 WerFault.exe 552 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdefnjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgdmjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnkmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbngfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebnic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efppqoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenhopmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqlafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhqjen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggapbcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnokahip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjpaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phledp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coafko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhfnifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpfdaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqmcgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmbme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omlncc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmmfjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiaipmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdkpiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekghdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apefjqob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkako32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doabjbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbmcb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdaimdkg.dll" Pbepkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qblfkgqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ephdjeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Felcbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbcelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkebqmfj.dll" Pjhnqfla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocefpnom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paggce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canoml32.dll" Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaelqba.dll" Phledp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnoe32.dll" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll" Feddombd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjfkmdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paggce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicagla.dll" Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabcdq32.dll" Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcckjpl.dll" Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdeed32.dll" Oibohdmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ficehj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjpll32.dll" Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpcdopi.dll" Blkmdodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbllnlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgcjpkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonkf32.dll" Fogdap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnbcaome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclmphpn.dll" Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Emoldlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Codbqonk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enbogmnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll" Nnlhab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feembf32.dll" Nkaoemjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldainid.dll" Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anldhe32.dll" Lklikj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnimkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geloanjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgfooe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiaapj32.dll" Felcbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbclpfop.dll" Igebkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmbqcf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2892 2364 ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe 31 PID 2364 wrote to memory of 2892 2364 ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe 31 PID 2364 wrote to memory of 2892 2364 ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe 31 PID 2364 wrote to memory of 2892 2364 ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe 31 PID 2892 wrote to memory of 2768 2892 Bcbfbp32.exe 32 PID 2892 wrote to memory of 2768 2892 Bcbfbp32.exe 32 PID 2892 wrote to memory of 2768 2892 Bcbfbp32.exe 32 PID 2892 wrote to memory of 2768 2892 Bcbfbp32.exe 32 PID 2768 wrote to memory of 2796 2768 Bfabnl32.exe 33 PID 2768 wrote to memory of 2796 2768 Bfabnl32.exe 33 PID 2768 wrote to memory of 2796 2768 Bfabnl32.exe 33 PID 2768 wrote to memory of 2796 2768 Bfabnl32.exe 33 PID 2796 wrote to memory of 2532 2796 Bqmpdioa.exe 34 PID 2796 wrote to memory of 2532 2796 Bqmpdioa.exe 34 PID 2796 wrote to memory of 2532 2796 Bqmpdioa.exe 34 PID 2796 wrote to memory of 2532 2796 Bqmpdioa.exe 34 PID 2532 wrote to memory of 2968 2532 Bbllnlfd.exe 35 PID 2532 wrote to memory of 2968 2532 Bbllnlfd.exe 35 PID 2532 wrote to memory of 2968 2532 Bbllnlfd.exe 35 PID 2532 wrote to memory of 2968 2532 Bbllnlfd.exe 35 PID 2968 wrote to memory of 1492 2968 Cmfmojcb.exe 36 PID 2968 wrote to memory of 1492 2968 Cmfmojcb.exe 36 PID 2968 wrote to memory of 1492 2968 Cmfmojcb.exe 36 PID 2968 wrote to memory of 1492 2968 Cmfmojcb.exe 36 PID 1492 wrote to memory of 2356 1492 Cfoaho32.exe 37 PID 1492 wrote to memory of 2356 1492 Cfoaho32.exe 37 PID 1492 wrote to memory of 2356 1492 Cfoaho32.exe 37 PID 1492 wrote to memory of 2356 1492 Cfoaho32.exe 37 PID 2356 wrote to memory of 1688 2356 Cmkfji32.exe 38 PID 2356 wrote to memory of 1688 2356 Cmkfji32.exe 38 PID 2356 wrote to memory of 1688 2356 Cmkfji32.exe 38 PID 2356 wrote to memory of 1688 2356 Cmkfji32.exe 38 PID 1688 wrote to memory of 1076 1688 Cfckcoen.exe 39 PID 1688 wrote to memory of 1076 1688 Cfckcoen.exe 39 PID 1688 wrote to memory of 1076 1688 Cfckcoen.exe 39 PID 1688 wrote to memory of 1076 1688 Cfckcoen.exe 39 PID 1076 wrote to memory of 1256 1076 Cidddj32.exe 40 PID 1076 wrote to memory of 1256 1076 Cidddj32.exe 40 PID 1076 wrote to memory of 1256 1076 Cidddj32.exe 40 PID 1076 wrote to memory of 1256 1076 Cidddj32.exe 40 PID 1256 wrote to memory of 3020 1256 Dekdikhc.exe 41 PID 1256 wrote to memory of 3020 1256 Dekdikhc.exe 41 PID 1256 wrote to memory of 3020 1256 Dekdikhc.exe 41 PID 1256 wrote to memory of 3020 1256 Dekdikhc.exe 41 PID 3020 wrote to memory of 1952 3020 Dboeco32.exe 42 PID 3020 wrote to memory of 1952 3020 Dboeco32.exe 42 PID 3020 wrote to memory of 1952 3020 Dboeco32.exe 42 PID 3020 wrote to memory of 1952 3020 Dboeco32.exe 42 PID 1952 wrote to memory of 2200 1952 Dihmpinj.exe 43 PID 1952 wrote to memory of 2200 1952 Dihmpinj.exe 43 PID 1952 wrote to memory of 2200 1952 Dihmpinj.exe 43 PID 1952 wrote to memory of 2200 1952 Dihmpinj.exe 43 PID 2200 wrote to memory of 2504 2200 Djlfma32.exe 44 PID 2200 wrote to memory of 2504 2200 Djlfma32.exe 44 PID 2200 wrote to memory of 2504 2200 Djlfma32.exe 44 PID 2200 wrote to memory of 2504 2200 Djlfma32.exe 44 PID 2504 wrote to memory of 2856 2504 Dafoikjb.exe 45 PID 2504 wrote to memory of 2856 2504 Dafoikjb.exe 45 PID 2504 wrote to memory of 2856 2504 Dafoikjb.exe 45 PID 2504 wrote to memory of 2856 2504 Dafoikjb.exe 45 PID 2856 wrote to memory of 1732 2856 Emoldlmc.exe 46 PID 2856 wrote to memory of 1732 2856 Emoldlmc.exe 46 PID 2856 wrote to memory of 1732 2856 Emoldlmc.exe 46 PID 2856 wrote to memory of 1732 2856 Emoldlmc.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe"C:\Users\Admin\AppData\Local\Temp\ee6496b0bd98c9c71f53bfecb1a15aee43fd1757ec9cf3d08e1c2ddbbcd1a9c8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe34⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe36⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe37⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Gaojnq32.exeC:\Windows\system32\Gaojnq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe39⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe40⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Hnhgha32.exeC:\Windows\system32\Hnhgha32.exe42⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe45⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Honnki32.exeC:\Windows\system32\Honnki32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Hgeelf32.exeC:\Windows\system32\Hgeelf32.exe47⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe48⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Hfjbmb32.exeC:\Windows\system32\Hfjbmb32.exe50⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Iocgfhhc.exeC:\Windows\system32\Iocgfhhc.exe52⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe53⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe54⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe55⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Iinhdmma.exeC:\Windows\system32\Iinhdmma.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe58⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe59⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ijaaae32.exeC:\Windows\system32\Ijaaae32.exe60⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe62⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe65⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe66⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Japciodd.exeC:\Windows\system32\Japciodd.exe67⤵PID:2448
-
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe68⤵PID:1604
-
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe70⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe72⤵PID:2104
-
C:\Windows\SysWOW64\Jfohgepi.exeC:\Windows\system32\Jfohgepi.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe74⤵PID:2280
-
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe75⤵PID:2596
-
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe76⤵PID:2168
-
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe77⤵PID:2928
-
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe78⤵PID:2792
-
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe79⤵PID:1924
-
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe81⤵PID:2452
-
C:\Windows\SysWOW64\Kjhcag32.exeC:\Windows\system32\Kjhcag32.exe82⤵PID:1936
-
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe84⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe85⤵PID:2568
-
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe87⤵PID:1268
-
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe88⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe89⤵PID:2184
-
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe90⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe91⤵PID:1148
-
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe92⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe94⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe95⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe96⤵PID:1696
-
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe97⤵PID:2700
-
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe98⤵PID:2608
-
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe99⤵PID:2108
-
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe100⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe102⤵PID:264
-
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe104⤵PID:2052
-
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe106⤵PID:2140
-
C:\Windows\SysWOW64\Mebnic32.exeC:\Windows\system32\Mebnic32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe108⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe109⤵
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe111⤵PID:2680
-
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe112⤵PID:2784
-
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe113⤵PID:2484
-
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe114⤵PID:1468
-
C:\Windows\SysWOW64\Mdigoo32.exeC:\Windows\system32\Mdigoo32.exe115⤵PID:1932
-
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe116⤵PID:1324
-
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe117⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe119⤵PID:2572
-
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe120⤵PID:1772
-
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-