Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 08:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe
-
Size
272KB
-
MD5
cc11bed69d308d0b98908c5a75b95bd0
-
SHA1
df8600a2a129e18634ee970ca3382ce65b2d36c1
-
SHA256
36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224
-
SHA512
68d49d66745bc5179e84cdb2cc06b593eadfa96d1a8df87a8fc86d80ba0052dda56d2cfd2d6c1ecf4bd3f89fa73c3b1ca91129a9374acf667b5ce774b05caf5e
-
SSDEEP
6144:0xqvHUlT39bSR0xZKL2bWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRuEuT:0xqP+bSwwL2bWGRdA6sQhPbWGRdA6sQs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiaknmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinahhff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnhcdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibplji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjieedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofhdidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihgadhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqlikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfbahldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhdgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnafdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkopifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djddbkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcfak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijjgkmqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnmbbnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhejed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feiaknmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggclfkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbhphie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpfoekhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jongag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbfbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnelmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idepdhia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogqlgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgobcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okolfkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadehh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lodoefed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcaanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfegjknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calgoken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmeknakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllpclnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehinpnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbgjmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocphembl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcnilhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhdfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnilfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihnqj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2040 Kcimhpma.exe 2788 Kfgjdlme.exe 2920 Kfjfik32.exe 2744 Kjhopjqi.exe 2620 Kpgdnp32.exe 1284 Ljcbcngi.exe 2176 Ljeoimeg.exe 1452 Lgiobadq.exe 2824 Lmfgkh32.exe 2952 Limhpihl.exe 3060 Mlmaad32.exe 2664 Mlbkmdah.exe 2160 Mhikae32.exe 2184 Moccnoni.exe 2320 Neohqicc.exe 1508 Nmmjjk32.exe 964 Nickoldp.exe 2292 Ncloha32.exe 760 Ooemcb32.exe 2060 Oklmhcdf.exe 1012 Ohpnag32.exe 1644 Oecnkk32.exe 3028 Oqmokioh.exe 384 Onapdmma.exe 2500 Pkepnalk.exe 1292 Pdndggcl.exe 2780 Pmiikipg.exe 2968 Pgnnhbpm.exe 2684 Pjmjdnop.exe 2120 Pmmcfi32.exe 2200 Pbjkop32.exe 2772 Amplklmj.exe 2768 Afhpca32.exe 1104 Bleilh32.exe 652 Biiiempl.exe 2756 Bfmjoqoe.exe 2168 Blibghmm.exe 2368 Bjoohdbd.exe 2012 Blnkbg32.exe 1996 Bmohjooe.exe 1740 Cfjihdcc.exe 1688 Cpbnaj32.exe 2644 Cglfndaa.exe 316 Cikbjpqd.exe 1640 Cgobcd32.exe 3040 Cpgglifo.exe 1796 Cipleo32.exe 1600 Cpidai32.exe 1612 Dchpnd32.exe 1044 Dooqceid.exe 2256 Dammoahg.exe 2776 Dhgelk32.exe 2900 Dapjdq32.exe 1672 Ddnfql32.exe 2816 Dabfjp32.exe 2268 Dgoobg32.exe 1204 Dcepgh32.exe 2152 Ejohdbok.exe 948 Epipql32.exe 1648 Effhic32.exe 1556 Enmqjq32.exe 1108 Efhenccl.exe 2236 Ehgaknbp.exe 780 Efkbdbai.exe -
Loads dropped DLL 64 IoCs
pid Process 1992 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe 1992 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe 2040 Kcimhpma.exe 2040 Kcimhpma.exe 2788 Kfgjdlme.exe 2788 Kfgjdlme.exe 2920 Kfjfik32.exe 2920 Kfjfik32.exe 2744 Kjhopjqi.exe 2744 Kjhopjqi.exe 2620 Kpgdnp32.exe 2620 Kpgdnp32.exe 1284 Ljcbcngi.exe 1284 Ljcbcngi.exe 2176 Ljeoimeg.exe 2176 Ljeoimeg.exe 1452 Lgiobadq.exe 1452 Lgiobadq.exe 2824 Lmfgkh32.exe 2824 Lmfgkh32.exe 2952 Limhpihl.exe 2952 Limhpihl.exe 3060 Mlmaad32.exe 3060 Mlmaad32.exe 2664 Mlbkmdah.exe 2664 Mlbkmdah.exe 2160 Mhikae32.exe 2160 Mhikae32.exe 2184 Moccnoni.exe 2184 Moccnoni.exe 2320 Neohqicc.exe 2320 Neohqicc.exe 1508 Nmmjjk32.exe 1508 Nmmjjk32.exe 964 Nickoldp.exe 964 Nickoldp.exe 2292 Ncloha32.exe 2292 Ncloha32.exe 760 Ooemcb32.exe 760 Ooemcb32.exe 2060 Oklmhcdf.exe 2060 Oklmhcdf.exe 1012 Ohpnag32.exe 1012 Ohpnag32.exe 1644 Oecnkk32.exe 1644 Oecnkk32.exe 3028 Oqmokioh.exe 3028 Oqmokioh.exe 384 Onapdmma.exe 384 Onapdmma.exe 2500 Pkepnalk.exe 2500 Pkepnalk.exe 1292 Pdndggcl.exe 1292 Pdndggcl.exe 2780 Pmiikipg.exe 2780 Pmiikipg.exe 2968 Pgnnhbpm.exe 2968 Pgnnhbpm.exe 2684 Pjmjdnop.exe 2684 Pjmjdnop.exe 2120 Pmmcfi32.exe 2120 Pmmcfi32.exe 2200 Pbjkop32.exe 2200 Pbjkop32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gimmcm32.dll Fohbqpki.exe File created C:\Windows\SysWOW64\Mbbkabdh.exe Lodoefed.exe File created C:\Windows\SysWOW64\Kqleff32.dll Ofqonp32.exe File opened for modification C:\Windows\SysWOW64\Dpdpkfga.exe Dijgnm32.exe File created C:\Windows\SysWOW64\Pkqlnk32.dll Ehhgfgla.exe File opened for modification C:\Windows\SysWOW64\Fmofjj32.exe Fjajno32.exe File created C:\Windows\SysWOW64\Agloko32.exe Andkbien.exe File created C:\Windows\SysWOW64\Elcmem32.dll Lhenmm32.exe File created C:\Windows\SysWOW64\Hknmke32.dll Eonhpk32.exe File created C:\Windows\SysWOW64\Mhpigk32.exe Mgomoboc.exe File created C:\Windows\SysWOW64\Ecfcle32.exe Efbbba32.exe File opened for modification C:\Windows\SysWOW64\Qgiibp32.exe Qmcedg32.exe File created C:\Windows\SysWOW64\Lbijgg32.exe Lbgmah32.exe File opened for modification C:\Windows\SysWOW64\Fffabman.exe Fefdhj32.exe File created C:\Windows\SysWOW64\Gboolneo.exe Gigjch32.exe File opened for modification C:\Windows\SysWOW64\Cpgglifo.exe Cgobcd32.exe File created C:\Windows\SysWOW64\Jeikfcco.dll Flhnqf32.exe File created C:\Windows\SysWOW64\Aeommfnf.exe Algida32.exe File created C:\Windows\SysWOW64\Cfmeqg32.dll Epgoio32.exe File created C:\Windows\SysWOW64\Ehcgkpie.dll Ejohdbok.exe File created C:\Windows\SysWOW64\Phfkhk32.dll Hcnfjpib.exe File opened for modification C:\Windows\SysWOW64\Dihojnqo.exe Dcijmhdj.exe File opened for modification C:\Windows\SysWOW64\Mlmaad32.exe Limhpihl.exe File created C:\Windows\SysWOW64\Ckkika32.dll Ehgaknbp.exe File created C:\Windows\SysWOW64\Kgonnl32.dll Hlnbqijd.exe File opened for modification C:\Windows\SysWOW64\Kcqfahom.exe Kpbiempj.exe File created C:\Windows\SysWOW64\Cmdaho32.dll Achikonn.exe File opened for modification C:\Windows\SysWOW64\Qjofljho.exe Pjlifjjb.exe File opened for modification C:\Windows\SysWOW64\Cikbjpqd.exe Cglfndaa.exe File opened for modification C:\Windows\SysWOW64\Oakcan32.exe Oedclm32.exe File created C:\Windows\SysWOW64\Adnomfqc.exe Appfggjm.exe File opened for modification C:\Windows\SysWOW64\Qhejed32.exe Qbiamm32.exe File created C:\Windows\SysWOW64\Mbclfmph.dll Aeommfnf.exe File created C:\Windows\SysWOW64\Dnfhnm32.dll Ohpnag32.exe File created C:\Windows\SysWOW64\Neemgp32.exe Nlmiojla.exe File created C:\Windows\SysWOW64\Oaaghp32.exe Oejgbonl.exe File created C:\Windows\SysWOW64\Ihefej32.dll Ijjgkmqh.exe File created C:\Windows\SysWOW64\Jnllpnpo.dll Lhbjmg32.exe File created C:\Windows\SysWOW64\Ldfgbb32.exe Llooad32.exe File opened for modification C:\Windows\SysWOW64\Mgodjico.exe Mdahnmck.exe File created C:\Windows\SysWOW64\Qamjmh32.exe Qoonqmqf.exe File created C:\Windows\SysWOW64\Mdjfie32.dll Lcnhcdkp.exe File created C:\Windows\SysWOW64\Lkojhefn.dll Nlnqeeeh.exe File created C:\Windows\SysWOW64\Giedhjnn.dll Ogpjmn32.exe File created C:\Windows\SysWOW64\Fdemap32.exe Fkmhij32.exe File created C:\Windows\SysWOW64\Kkpekjie.exe Kbgqbdbd.exe File created C:\Windows\SysWOW64\Lhiqhdca.dll Ocbekmpi.exe File created C:\Windows\SysWOW64\Jqfcla32.dll Lenioenj.exe File created C:\Windows\SysWOW64\Ificlp32.dll Baiingae.exe File created C:\Windows\SysWOW64\Fdldjnpc.dll Lnaokn32.exe File opened for modification C:\Windows\SysWOW64\Kcimhpma.exe 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe File created C:\Windows\SysWOW64\Dpdoea32.dll Bhiiepcl.exe File created C:\Windows\SysWOW64\Hljljflh.exe Hikpnkme.exe File created C:\Windows\SysWOW64\Qoonqmqf.exe Qhdfdb32.exe File created C:\Windows\SysWOW64\Ggknde32.dll Agebam32.exe File created C:\Windows\SysWOW64\Ncance32.dll Indnqb32.exe File created C:\Windows\SysWOW64\Oclblaid.dll Ofmiea32.exe File created C:\Windows\SysWOW64\Addlbf32.dll Fhcehngk.exe File created C:\Windows\SysWOW64\Fbhfcf32.exe Fioajqmb.exe File created C:\Windows\SysWOW64\Jggiah32.exe Jkpilg32.exe File created C:\Windows\SysWOW64\Jnjjcbiq.exe Jklnggjm.exe File created C:\Windows\SysWOW64\Ggdfff32.exe Gefjjk32.exe File created C:\Windows\SysWOW64\Kgmmoieh.dll Fcaaloed.exe File opened for modification C:\Windows\SysWOW64\Cbqekhmp.exe Cgkanomj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2120 3560 WerFault.exe 1045 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcoaeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpgee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogadkajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbiamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niijdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbenlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Algida32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakjophb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjqfpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgomoboc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaghm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgjmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqnghfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afojgiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpnag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geinjapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjihdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djddbkck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gopnca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpalmaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqhadmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijffhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpkoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagchmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdqlkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdndggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcdkbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipfnjkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hminbkql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmada32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqbcbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqbilcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffabman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andkbien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjham32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipdqmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokahhac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgjmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnoafp.dll" Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagjap32.dll" Bmbkid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkihli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepjpajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll" Qgiibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmaojjod.dll" Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokemgkj.dll" Falakjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifoia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokjlcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogihnoda.dll" Ffkncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipllldmi.dll" Jfiekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmehqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhgqnio.dll" Qechqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abgeiaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpgdaqmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncllifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihmhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enepnoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhhjcmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpgomne.dll" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchobqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlgdecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcigb32.dll" Mpjqfpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikmibjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdodjlda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnd32.dll" Cpadpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnedilio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjopge32.dll" Cpigeblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkeacf32.dll" Ecgeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqljdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimmcm32.dll" Fohbqpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaonn32.dll" Khhndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhenmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoanhco.dll" Cldolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkbplepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baoahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjhkqme.dll" Effhic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbppdfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjpfnjc.dll" Cfhjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgpgae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphlgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcifkdke.dll" Cllmdcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doapanne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakjophb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokold32.dll" Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgpe32.dll" Jmhkdnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcqoec32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2040 1992 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe 30 PID 1992 wrote to memory of 2040 1992 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe 30 PID 1992 wrote to memory of 2040 1992 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe 30 PID 1992 wrote to memory of 2040 1992 36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe 30 PID 2040 wrote to memory of 2788 2040 Kcimhpma.exe 31 PID 2040 wrote to memory of 2788 2040 Kcimhpma.exe 31 PID 2040 wrote to memory of 2788 2040 Kcimhpma.exe 31 PID 2040 wrote to memory of 2788 2040 Kcimhpma.exe 31 PID 2788 wrote to memory of 2920 2788 Kfgjdlme.exe 32 PID 2788 wrote to memory of 2920 2788 Kfgjdlme.exe 32 PID 2788 wrote to memory of 2920 2788 Kfgjdlme.exe 32 PID 2788 wrote to memory of 2920 2788 Kfgjdlme.exe 32 PID 2920 wrote to memory of 2744 2920 Kfjfik32.exe 33 PID 2920 wrote to memory of 2744 2920 Kfjfik32.exe 33 PID 2920 wrote to memory of 2744 2920 Kfjfik32.exe 33 PID 2920 wrote to memory of 2744 2920 Kfjfik32.exe 33 PID 2744 wrote to memory of 2620 2744 Kjhopjqi.exe 34 PID 2744 wrote to memory of 2620 2744 Kjhopjqi.exe 34 PID 2744 wrote to memory of 2620 2744 Kjhopjqi.exe 34 PID 2744 wrote to memory of 2620 2744 Kjhopjqi.exe 34 PID 2620 wrote to memory of 1284 2620 Kpgdnp32.exe 35 PID 2620 wrote to memory of 1284 2620 Kpgdnp32.exe 35 PID 2620 wrote to memory of 1284 2620 Kpgdnp32.exe 35 PID 2620 wrote to memory of 1284 2620 Kpgdnp32.exe 35 PID 1284 wrote to memory of 2176 1284 Ljcbcngi.exe 36 PID 1284 wrote to memory of 2176 1284 Ljcbcngi.exe 36 PID 1284 wrote to memory of 2176 1284 Ljcbcngi.exe 36 PID 1284 wrote to memory of 2176 1284 Ljcbcngi.exe 36 PID 2176 wrote to memory of 1452 2176 Ljeoimeg.exe 37 PID 2176 wrote to memory of 1452 2176 Ljeoimeg.exe 37 PID 2176 wrote to memory of 1452 2176 Ljeoimeg.exe 37 PID 2176 wrote to memory of 1452 2176 Ljeoimeg.exe 37 PID 1452 wrote to memory of 2824 1452 Lgiobadq.exe 38 PID 1452 wrote to memory of 2824 1452 Lgiobadq.exe 38 PID 1452 wrote to memory of 2824 1452 Lgiobadq.exe 38 PID 1452 wrote to memory of 2824 1452 Lgiobadq.exe 38 PID 2824 wrote to memory of 2952 2824 Lmfgkh32.exe 39 PID 2824 wrote to memory of 2952 2824 Lmfgkh32.exe 39 PID 2824 wrote to memory of 2952 2824 Lmfgkh32.exe 39 PID 2824 wrote to memory of 2952 2824 Lmfgkh32.exe 39 PID 2952 wrote to memory of 3060 2952 Limhpihl.exe 40 PID 2952 wrote to memory of 3060 2952 Limhpihl.exe 40 PID 2952 wrote to memory of 3060 2952 Limhpihl.exe 40 PID 2952 wrote to memory of 3060 2952 Limhpihl.exe 40 PID 3060 wrote to memory of 2664 3060 Mlmaad32.exe 41 PID 3060 wrote to memory of 2664 3060 Mlmaad32.exe 41 PID 3060 wrote to memory of 2664 3060 Mlmaad32.exe 41 PID 3060 wrote to memory of 2664 3060 Mlmaad32.exe 41 PID 2664 wrote to memory of 2160 2664 Mlbkmdah.exe 42 PID 2664 wrote to memory of 2160 2664 Mlbkmdah.exe 42 PID 2664 wrote to memory of 2160 2664 Mlbkmdah.exe 42 PID 2664 wrote to memory of 2160 2664 Mlbkmdah.exe 42 PID 2160 wrote to memory of 2184 2160 Mhikae32.exe 43 PID 2160 wrote to memory of 2184 2160 Mhikae32.exe 43 PID 2160 wrote to memory of 2184 2160 Mhikae32.exe 43 PID 2160 wrote to memory of 2184 2160 Mhikae32.exe 43 PID 2184 wrote to memory of 2320 2184 Moccnoni.exe 44 PID 2184 wrote to memory of 2320 2184 Moccnoni.exe 44 PID 2184 wrote to memory of 2320 2184 Moccnoni.exe 44 PID 2184 wrote to memory of 2320 2184 Moccnoni.exe 44 PID 2320 wrote to memory of 1508 2320 Neohqicc.exe 45 PID 2320 wrote to memory of 1508 2320 Neohqicc.exe 45 PID 2320 wrote to memory of 1508 2320 Neohqicc.exe 45 PID 2320 wrote to memory of 1508 2320 Neohqicc.exe 45
Processes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f81⤵PID:916
-
C:\Windows\System32\se6s8b.exe"C:\Windows\System32\se6s8b.exe"1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\2108291627\zmstage.exeC:\Users\Admin\AppData\Local\Temp\2108291627\zmstage.exe2⤵PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe"C:\Users\Admin\AppData\Local\Temp\36bf6bc6f0801033cfa4693c0fa4de42c52ebaef93c199d8d1de3b4e50d29224N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Kcimhpma.exeC:\Windows\system32\Kcimhpma.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Ljeoimeg.exeC:\Windows\system32\Ljeoimeg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Neohqicc.exeC:\Windows\system32\Neohqicc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Ooemcb32.exeC:\Windows\system32\Ooemcb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Onapdmma.exeC:\Windows\system32\Onapdmma.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Pjmjdnop.exeC:\Windows\system32\Pjmjdnop.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Pbjkop32.exeC:\Windows\system32\Pbjkop32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe33⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Afhpca32.exeC:\Windows\system32\Afhpca32.exe34⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe36⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe37⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe38⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe39⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe40⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe41⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe45⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe47⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe48⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe49⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe50⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe51⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe52⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe53⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dapjdq32.exeC:\Windows\system32\Dapjdq32.exe54⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe55⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe56⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe57⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe58⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe60⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe62⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe63⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe65⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe68⤵PID:2680
-
C:\Windows\SysWOW64\Fkldgi32.exeC:\Windows\system32\Fkldgi32.exe69⤵PID:3000
-
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe70⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe71⤵PID:2460
-
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe72⤵PID:1288
-
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe77⤵PID:772
-
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe78⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe79⤵PID:1112
-
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe80⤵PID:1552
-
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe81⤵PID:828
-
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe82⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe83⤵PID:2072
-
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe84⤵PID:2668
-
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe85⤵PID:2376
-
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe86⤵PID:1476
-
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe87⤵PID:2456
-
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe88⤵PID:2820
-
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe89⤵PID:1664
-
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe90⤵PID:2408
-
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe91⤵PID:2104
-
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe92⤵PID:604
-
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe93⤵PID:2248
-
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe94⤵PID:1536
-
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe95⤵PID:632
-
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe96⤵PID:1032
-
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe97⤵PID:236
-
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe98⤵PID:2848
-
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe100⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe101⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe102⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe103⤵PID:2108
-
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe104⤵PID:2752
-
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe105⤵PID:3004
-
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe106⤵PID:2736
-
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe107⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe108⤵PID:1300
-
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe109⤵PID:1028
-
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe110⤵
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe111⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe112⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe113⤵PID:1988
-
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe114⤵PID:2916
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe115⤵PID:1828
-
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe116⤵PID:3044
-
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe117⤵PID:2136
-
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe118⤵PID:1792
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe119⤵PID:2132
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe120⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe121⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-