Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8cc2eab5e6c5f31e6c37d3df4f44340N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e8cc2eab5e6c5f31e6c37d3df4f44340N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e8cc2eab5e6c5f31e6c37d3df4f44340N.exe
-
Size
96KB
-
MD5
e8cc2eab5e6c5f31e6c37d3df4f44340
-
SHA1
d0e655e356b723504b3399544f664b795fbb0047
-
SHA256
dad88b78642d9f2f64307700dce2c5d2cd90b5c720c570fa87f1272ce1d3c7dc
-
SHA512
eb315975af07797e33f59e643361d8f3e6ff5f9f448348b238f78ab1709bfd31f970cee5dc7091b35b7659d18eb038de3e6f3226d8df20c9db602857e518442b
-
SSDEEP
1536:DmIeiDgicV8zhMoYAR4CkJ2L27RZObZUUWaegPYA:DiHV8pxKCb2ClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnfof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labjcmqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebmgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkiopock.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmiccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbokaelh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhqico32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnblfgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daognhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhfmmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Encgglkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edbmec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbkddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikahkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiimnjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfqngom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlejhmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkcfdgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plqjilia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkjlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaecf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjmgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbncmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhldiljp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofhejdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngaahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpmajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifgml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhpkbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcodol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koodlbeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qadhba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoboj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmlnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoghklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhnef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njadab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcddjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnmcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcigk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddeifgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiamamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcbeagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmommnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcggjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlfkaqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmlnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcnleahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdokjdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjqigkfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiode32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnfof32.exe -
Executes dropped EXE 64 IoCs
pid Process 980 Pmefidoj.exe 1272 Pdpoeo32.exe 1692 Qbboakna.exe 1348 Qbelfk32.exe 2612 Qiodcecl.exe 2780 Qpilpo32.exe 2996 Aajhhgpg.exe 852 Ahdqdahc.exe 2548 Abieajgi.exe 2384 Adkaib32.exe 2460 Akdjfmed.exe 2892 Aaobcg32.exe 2828 Akgfll32.exe 2684 Apdodc32.exe 3056 Agngqmhf.exe 552 Aacknfhl.exe 2264 Agpdfmfc.exe 2484 Bnjlcgnp.exe 2368 Blmlnd32.exe 2092 Bcgdknlh.exe 1584 Bjamhh32.exe 1432 Bloidc32.exe 1200 Bgemal32.exe 1456 Bjcimhab.exe 1984 Blaficqe.exe 2228 Bpmajb32.exe 3060 Bannajom.exe 2804 Boboknnf.exe 1132 Bbakgjmj.exe 2608 Bkiopock.exe 2748 Boekqn32.exe 2772 Ckklfoah.exe 2616 Cnjhbjql.exe 2504 Cqhdnfpp.exe 1480 Chpmocpa.exe 2832 Cjqigkfp.exe 2540 Cbhahigb.exe 2148 Cgdippej.exe 2952 Cjcflkdm.exe 2680 Cdhjjddc.exe 2820 Cmdonf32.exe 884 Ccngkphk.exe 2876 Dmfkcf32.exe 2244 Dbcdlm32.exe 2256 Dmhhie32.exe 2428 Dcbpfp32.exe 2308 Dfambk32.exe 1852 Dmkeoekf.exe 1064 Dpiakqjj.exe 1548 Dfcigk32.exe 2988 Diaecf32.exe 2688 Dplnpp32.exe 2652 Dbjjll32.exe 2724 Didbifoh.exe 2528 Dlboeanl.exe 2116 Dblgbk32.exe 1644 Daognhlc.exe 3068 Ecncjckf.exe 2908 Eldkkali.exe 2920 Encgglkm.exe 2700 Encgglkm.exe 1072 Eempcfbi.exe 756 Ecppoc32.exe 2240 Enedml32.exe -
Loads dropped DLL 64 IoCs
pid Process 1908 e8cc2eab5e6c5f31e6c37d3df4f44340N.exe 1908 e8cc2eab5e6c5f31e6c37d3df4f44340N.exe 980 Pmefidoj.exe 980 Pmefidoj.exe 1272 Pdpoeo32.exe 1272 Pdpoeo32.exe 1692 Qbboakna.exe 1692 Qbboakna.exe 1348 Qbelfk32.exe 1348 Qbelfk32.exe 2612 Qiodcecl.exe 2612 Qiodcecl.exe 2780 Qpilpo32.exe 2780 Qpilpo32.exe 2996 Aajhhgpg.exe 2996 Aajhhgpg.exe 852 Ahdqdahc.exe 852 Ahdqdahc.exe 2548 Abieajgi.exe 2548 Abieajgi.exe 2384 Adkaib32.exe 2384 Adkaib32.exe 2460 Akdjfmed.exe 2460 Akdjfmed.exe 2892 Aaobcg32.exe 2892 Aaobcg32.exe 2828 Akgfll32.exe 2828 Akgfll32.exe 2684 Apdodc32.exe 2684 Apdodc32.exe 3056 Agngqmhf.exe 3056 Agngqmhf.exe 552 Aacknfhl.exe 552 Aacknfhl.exe 2264 Agpdfmfc.exe 2264 Agpdfmfc.exe 2484 Bnjlcgnp.exe 2484 Bnjlcgnp.exe 2368 Blmlnd32.exe 2368 Blmlnd32.exe 2092 Bcgdknlh.exe 2092 Bcgdknlh.exe 1584 Bjamhh32.exe 1584 Bjamhh32.exe 1432 Bloidc32.exe 1432 Bloidc32.exe 1200 Bgemal32.exe 1200 Bgemal32.exe 1456 Bjcimhab.exe 1456 Bjcimhab.exe 1984 Blaficqe.exe 1984 Blaficqe.exe 2228 Bpmajb32.exe 2228 Bpmajb32.exe 3060 Bannajom.exe 3060 Bannajom.exe 2804 Boboknnf.exe 2804 Boboknnf.exe 1132 Bbakgjmj.exe 1132 Bbakgjmj.exe 2608 Bkiopock.exe 2608 Bkiopock.exe 2748 Boekqn32.exe 2748 Boekqn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Feoihi32.exe Fbqllnco.exe File created C:\Windows\SysWOW64\Bpmokk32.dll Pbkbff32.exe File created C:\Windows\SysWOW64\Ajhfkk32.dll Dgoejm32.exe File created C:\Windows\SysWOW64\Bloidc32.exe Bjamhh32.exe File created C:\Windows\SysWOW64\Ckklfoah.exe Boekqn32.exe File created C:\Windows\SysWOW64\Efeblnbp.exe Edgfpbcl.exe File created C:\Windows\SysWOW64\Aaiamamk.exe Ajoiqg32.exe File opened for modification C:\Windows\SysWOW64\Aaiamamk.exe Ajoiqg32.exe File opened for modification C:\Windows\SysWOW64\Dmlnbd32.exe Djnafi32.exe File created C:\Windows\SysWOW64\Dfdbkj32.exe Dgabomfl.exe File created C:\Windows\SysWOW64\Emhdhipd.exe Enedml32.exe File created C:\Windows\SysWOW64\Epegcd32.dll Fpkfng32.exe File opened for modification C:\Windows\SysWOW64\Gdiode32.exe Gmoghklh.exe File created C:\Windows\SysWOW64\Cfpmqg32.exe Bcaqdl32.exe File opened for modification C:\Windows\SysWOW64\Ccfjpkkg.exe Cphncpld.exe File opened for modification C:\Windows\SysWOW64\Diekle32.exe Dffopi32.exe File opened for modification C:\Windows\SysWOW64\Dffopi32.exe Dchcdn32.exe File opened for modification C:\Windows\SysWOW64\Pmefidoj.exe e8cc2eab5e6c5f31e6c37d3df4f44340N.exe File opened for modification C:\Windows\SysWOW64\Ndgiok32.exe Nlpamn32.exe File created C:\Windows\SysWOW64\Banggcka.exe Bkdokjdd.exe File created C:\Windows\SysWOW64\Gogijo32.dll Lpejnj32.exe File created C:\Windows\SysWOW64\Lkjolc32.exe Lgobkdom.exe File created C:\Windows\SysWOW64\Lgclfc32.exe Lpidii32.exe File created C:\Windows\SysWOW64\Emdikm32.dll Aekgfdpj.exe File created C:\Windows\SysWOW64\Bedeee32.dll Comkdl32.exe File opened for modification C:\Windows\SysWOW64\Blaficqe.exe Bjcimhab.exe File created C:\Windows\SysWOW64\Mmaadgcp.dll Gjmnmk32.exe File created C:\Windows\SysWOW64\Ikgijelc.exe Iiimnjmp.exe File opened for modification C:\Windows\SysWOW64\Dcciiope.exe Dqemmcqb.exe File opened for modification C:\Windows\SysWOW64\Plnmcl32.exe Pipqgq32.exe File created C:\Windows\SysWOW64\Knjbcd32.dll Pbokaelh.exe File opened for modification C:\Windows\SysWOW64\Ajoiqg32.exe Afdmphme.exe File opened for modification C:\Windows\SysWOW64\Cphncpld.exe Cllaca32.exe File opened for modification C:\Windows\SysWOW64\Dqlcnb32.exe Dmqgmcba.exe File opened for modification C:\Windows\SysWOW64\Ccngkphk.exe Cmdonf32.exe File created C:\Windows\SysWOW64\Mlenijej.exe Mekfmp32.exe File created C:\Windows\SysWOW64\Mafpmp32.exe Mjohlb32.exe File opened for modification C:\Windows\SysWOW64\Nclfpg32.exe Nqnicl32.exe File created C:\Windows\SysWOW64\Dpocioad.exe Dqlcnb32.exe File opened for modification C:\Windows\SysWOW64\Bcgdknlh.exe Blmlnd32.exe File opened for modification C:\Windows\SysWOW64\Knhnkc32.exe Kliboh32.exe File created C:\Windows\SysWOW64\Qjbbbgql.dll Mammfa32.exe File opened for modification C:\Windows\SysWOW64\Apakdmpp.exe Ambohapm.exe File created C:\Windows\SysWOW64\Bgngkchf.dll Hgnnpc32.exe File created C:\Windows\SysWOW64\Ofohfeoo.exe Ocakjjok.exe File created C:\Windows\SysWOW64\Plmajoob.dll Qfaqji32.exe File opened for modification C:\Windows\SysWOW64\Cnjhbjql.exe Ckklfoah.exe File created C:\Windows\SysWOW64\Gapgkelp.dll Labjcmqf.exe File opened for modification C:\Windows\SysWOW64\Apdodc32.exe Akgfll32.exe File created C:\Windows\SysWOW64\Knplcofi.dll Fojjfogp.exe File opened for modification C:\Windows\SysWOW64\Iibgmk32.exe Ijofbnlm.exe File created C:\Windows\SysWOW64\Almjdkpo.dll Iolojejd.exe File created C:\Windows\SysWOW64\Kliboh32.exe Kepjbneo.exe File opened for modification C:\Windows\SysWOW64\Kmaego32.exe Koodlbeh.exe File created C:\Windows\SysWOW64\Bgffdk32.exe Bhcfiogc.exe File created C:\Windows\SysWOW64\Encgglkm.exe Encgglkm.exe File opened for modification C:\Windows\SysWOW64\Gknjecab.exe Ghpnihbo.exe File opened for modification C:\Windows\SysWOW64\Hgggpded.exe Hhdgdg32.exe File opened for modification C:\Windows\SysWOW64\Lgobkdom.exe Lpejnj32.exe File opened for modification C:\Windows\SysWOW64\Bkoepj32.exe Bhqico32.exe File created C:\Windows\SysWOW64\Cpbioi32.dll Ddnmhb32.exe File created C:\Windows\SysWOW64\Ccngkphk.exe Cmdonf32.exe File created C:\Windows\SysWOW64\Nmemjoka.dll Dblgbk32.exe File opened for modification C:\Windows\SysWOW64\Fkjdkqcl.exe Fihhch32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4416 4376 WerFault.exe 393 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikjcikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akafff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafelnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdfoni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhfmmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlhpjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhahigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnddkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifgml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiimnjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imblii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgijelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jandikbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plqjilia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnflff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepdbpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agngqmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppcjcfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjkol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apakdmpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifmgman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfnlahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmiccl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppoboj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbifgln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojjfogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbnijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafnhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofohfeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcodol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcbhbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpoeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglakcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmiqdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecncjckf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kliboh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plecdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampbbbbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnieaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfjab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhjjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplnpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpngec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faapbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikahkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boekqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcflkdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijofbnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmommnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcgaoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmoke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcffonnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaobcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdiode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlenijej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojmegqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffdk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngfml32.dll" Chcbhbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbihj32.dll" Agngqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckklfoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchngm32.dll" Cllaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomico32.dll" Aaobcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fppcjcfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcean32.dll" Fddeifgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdamojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbmoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnflff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkqgkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhqico32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjjopna.dll" Cfpmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgngkchf.dll" Hgnnpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfhdkdp.dll" Mlbadj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iadabljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcecpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfgpj32.dll" Nqnicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjidkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnflff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnddkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjcimhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jigoolcf.dll" Hgggpded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmommnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpjecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglgfk32.dll" Ehnieaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idalfo32.dll" Fblcaohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcqika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkmdop.dll" Akdjfmed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daognhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogjlf32.dll" Encgglkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diekle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmngeg32.dll" Qbboakna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejomjgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbqllnco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnhgga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pphlokep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjnege32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edbmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcbeagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cchjnm32.dll" Hcbapdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjabc32.dll" Ncjijhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbipmk32.dll" Bannajom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aillbbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqcqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqhllki.dll" Eldkkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgfec32.dll" Mafpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofohfeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cngebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbjjll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibiflmjc.dll" Qagehaon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ediaia32.dll" Bkiopock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjhbjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfpmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloidc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbakgjmj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 980 1908 e8cc2eab5e6c5f31e6c37d3df4f44340N.exe 29 PID 1908 wrote to memory of 980 1908 e8cc2eab5e6c5f31e6c37d3df4f44340N.exe 29 PID 1908 wrote to memory of 980 1908 e8cc2eab5e6c5f31e6c37d3df4f44340N.exe 29 PID 1908 wrote to memory of 980 1908 e8cc2eab5e6c5f31e6c37d3df4f44340N.exe 29 PID 980 wrote to memory of 1272 980 Pmefidoj.exe 30 PID 980 wrote to memory of 1272 980 Pmefidoj.exe 30 PID 980 wrote to memory of 1272 980 Pmefidoj.exe 30 PID 980 wrote to memory of 1272 980 Pmefidoj.exe 30 PID 1272 wrote to memory of 1692 1272 Pdpoeo32.exe 31 PID 1272 wrote to memory of 1692 1272 Pdpoeo32.exe 31 PID 1272 wrote to memory of 1692 1272 Pdpoeo32.exe 31 PID 1272 wrote to memory of 1692 1272 Pdpoeo32.exe 31 PID 1692 wrote to memory of 1348 1692 Qbboakna.exe 32 PID 1692 wrote to memory of 1348 1692 Qbboakna.exe 32 PID 1692 wrote to memory of 1348 1692 Qbboakna.exe 32 PID 1692 wrote to memory of 1348 1692 Qbboakna.exe 32 PID 1348 wrote to memory of 2612 1348 Qbelfk32.exe 33 PID 1348 wrote to memory of 2612 1348 Qbelfk32.exe 33 PID 1348 wrote to memory of 2612 1348 Qbelfk32.exe 33 PID 1348 wrote to memory of 2612 1348 Qbelfk32.exe 33 PID 2612 wrote to memory of 2780 2612 Qiodcecl.exe 34 PID 2612 wrote to memory of 2780 2612 Qiodcecl.exe 34 PID 2612 wrote to memory of 2780 2612 Qiodcecl.exe 34 PID 2612 wrote to memory of 2780 2612 Qiodcecl.exe 34 PID 2780 wrote to memory of 2996 2780 Qpilpo32.exe 35 PID 2780 wrote to memory of 2996 2780 Qpilpo32.exe 35 PID 2780 wrote to memory of 2996 2780 Qpilpo32.exe 35 PID 2780 wrote to memory of 2996 2780 Qpilpo32.exe 35 PID 2996 wrote to memory of 852 2996 Aajhhgpg.exe 36 PID 2996 wrote to memory of 852 2996 Aajhhgpg.exe 36 PID 2996 wrote to memory of 852 2996 Aajhhgpg.exe 36 PID 2996 wrote to memory of 852 2996 Aajhhgpg.exe 36 PID 852 wrote to memory of 2548 852 Ahdqdahc.exe 37 PID 852 wrote to memory of 2548 852 Ahdqdahc.exe 37 PID 852 wrote to memory of 2548 852 Ahdqdahc.exe 37 PID 852 wrote to memory of 2548 852 Ahdqdahc.exe 37 PID 2548 wrote to memory of 2384 2548 Abieajgi.exe 38 PID 2548 wrote to memory of 2384 2548 Abieajgi.exe 38 PID 2548 wrote to memory of 2384 2548 Abieajgi.exe 38 PID 2548 wrote to memory of 2384 2548 Abieajgi.exe 38 PID 2384 wrote to memory of 2460 2384 Adkaib32.exe 39 PID 2384 wrote to memory of 2460 2384 Adkaib32.exe 39 PID 2384 wrote to memory of 2460 2384 Adkaib32.exe 39 PID 2384 wrote to memory of 2460 2384 Adkaib32.exe 39 PID 2460 wrote to memory of 2892 2460 Akdjfmed.exe 40 PID 2460 wrote to memory of 2892 2460 Akdjfmed.exe 40 PID 2460 wrote to memory of 2892 2460 Akdjfmed.exe 40 PID 2460 wrote to memory of 2892 2460 Akdjfmed.exe 40 PID 2892 wrote to memory of 2828 2892 Aaobcg32.exe 41 PID 2892 wrote to memory of 2828 2892 Aaobcg32.exe 41 PID 2892 wrote to memory of 2828 2892 Aaobcg32.exe 41 PID 2892 wrote to memory of 2828 2892 Aaobcg32.exe 41 PID 2828 wrote to memory of 2684 2828 Akgfll32.exe 42 PID 2828 wrote to memory of 2684 2828 Akgfll32.exe 42 PID 2828 wrote to memory of 2684 2828 Akgfll32.exe 42 PID 2828 wrote to memory of 2684 2828 Akgfll32.exe 42 PID 2684 wrote to memory of 3056 2684 Apdodc32.exe 43 PID 2684 wrote to memory of 3056 2684 Apdodc32.exe 43 PID 2684 wrote to memory of 3056 2684 Apdodc32.exe 43 PID 2684 wrote to memory of 3056 2684 Apdodc32.exe 43 PID 3056 wrote to memory of 552 3056 Agngqmhf.exe 44 PID 3056 wrote to memory of 552 3056 Agngqmhf.exe 44 PID 3056 wrote to memory of 552 3056 Agngqmhf.exe 44 PID 3056 wrote to memory of 552 3056 Agngqmhf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8cc2eab5e6c5f31e6c37d3df4f44340N.exe"C:\Users\Admin\AppData\Local\Temp\e8cc2eab5e6c5f31e6c37d3df4f44340N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Pmefidoj.exeC:\Windows\system32\Pmefidoj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Pdpoeo32.exeC:\Windows\system32\Pdpoeo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Qbboakna.exeC:\Windows\system32\Qbboakna.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Qbelfk32.exeC:\Windows\system32\Qbelfk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Qiodcecl.exeC:\Windows\system32\Qiodcecl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Qpilpo32.exeC:\Windows\system32\Qpilpo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Aajhhgpg.exeC:\Windows\system32\Aajhhgpg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ahdqdahc.exeC:\Windows\system32\Ahdqdahc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Abieajgi.exeC:\Windows\system32\Abieajgi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Adkaib32.exeC:\Windows\system32\Adkaib32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Akdjfmed.exeC:\Windows\system32\Akdjfmed.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Aaobcg32.exeC:\Windows\system32\Aaobcg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Akgfll32.exeC:\Windows\system32\Akgfll32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Apdodc32.exeC:\Windows\system32\Apdodc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Agngqmhf.exeC:\Windows\system32\Agngqmhf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Aacknfhl.exeC:\Windows\system32\Aacknfhl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Agpdfmfc.exeC:\Windows\system32\Agpdfmfc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Bnjlcgnp.exeC:\Windows\system32\Bnjlcgnp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Blmlnd32.exeC:\Windows\system32\Blmlnd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Bcgdknlh.exeC:\Windows\system32\Bcgdknlh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Bjamhh32.exeC:\Windows\system32\Bjamhh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Bloidc32.exeC:\Windows\system32\Bloidc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Bgemal32.exeC:\Windows\system32\Bgemal32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Bjcimhab.exeC:\Windows\system32\Bjcimhab.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Blaficqe.exeC:\Windows\system32\Blaficqe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Bpmajb32.exeC:\Windows\system32\Bpmajb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Bannajom.exeC:\Windows\system32\Bannajom.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Boboknnf.exeC:\Windows\system32\Boboknnf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Bbakgjmj.exeC:\Windows\system32\Bbakgjmj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Bkiopock.exeC:\Windows\system32\Bkiopock.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Boekqn32.exeC:\Windows\system32\Boekqn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Ckklfoah.exeC:\Windows\system32\Ckklfoah.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Cnjhbjql.exeC:\Windows\system32\Cnjhbjql.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Cqhdnfpp.exeC:\Windows\system32\Cqhdnfpp.exe35⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Chpmocpa.exeC:\Windows\system32\Chpmocpa.exe36⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Cjqigkfp.exeC:\Windows\system32\Cjqigkfp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Cbhahigb.exeC:\Windows\system32\Cbhahigb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Cgdippej.exeC:\Windows\system32\Cgdippej.exe39⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Cjcflkdm.exeC:\Windows\system32\Cjcflkdm.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Cdhjjddc.exeC:\Windows\system32\Cdhjjddc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Cmdonf32.exeC:\Windows\system32\Cmdonf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Ccngkphk.exeC:\Windows\system32\Ccngkphk.exe43⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Dmfkcf32.exeC:\Windows\system32\Dmfkcf32.exe44⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dbcdlm32.exeC:\Windows\system32\Dbcdlm32.exe45⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Dmhhie32.exeC:\Windows\system32\Dmhhie32.exe46⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Dcbpfp32.exeC:\Windows\system32\Dcbpfp32.exe47⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dfambk32.exeC:\Windows\system32\Dfambk32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Dmkeoekf.exeC:\Windows\system32\Dmkeoekf.exe49⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Dpiakqjj.exeC:\Windows\system32\Dpiakqjj.exe50⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Dfcigk32.exeC:\Windows\system32\Dfcigk32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Diaecf32.exeC:\Windows\system32\Diaecf32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dplnpp32.exeC:\Windows\system32\Dplnpp32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Dbjjll32.exeC:\Windows\system32\Dbjjll32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Didbifoh.exeC:\Windows\system32\Didbifoh.exe55⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Dlboeanl.exeC:\Windows\system32\Dlboeanl.exe56⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dblgbk32.exeC:\Windows\system32\Dblgbk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Daognhlc.exeC:\Windows\system32\Daognhlc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ecncjckf.exeC:\Windows\system32\Ecncjckf.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Eldkkali.exeC:\Windows\system32\Eldkkali.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Encgglkm.exeC:\Windows\system32\Encgglkm.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Encgglkm.exeC:\Windows\system32\Encgglkm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Eempcfbi.exeC:\Windows\system32\Eempcfbi.exe63⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ecppoc32.exeC:\Windows\system32\Ecppoc32.exe64⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Enedml32.exeC:\Windows\system32\Enedml32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Emhdhipd.exeC:\Windows\system32\Emhdhipd.exe66⤵PID:2360
-
C:\Windows\SysWOW64\Edbmec32.exeC:\Windows\system32\Edbmec32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Ehnieaoj.exeC:\Windows\system32\Ehnieaoj.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Eioemj32.exeC:\Windows\system32\Eioemj32.exe69⤵PID:968
-
C:\Windows\SysWOW64\Eafmng32.exeC:\Windows\system32\Eafmng32.exe70⤵PID:2220
-
C:\Windows\SysWOW64\Epimjd32.exeC:\Windows\system32\Epimjd32.exe71⤵PID:688
-
C:\Windows\SysWOW64\Eiabbicf.exeC:\Windows\system32\Eiabbicf.exe72⤵PID:2808
-
C:\Windows\SysWOW64\Edgfpbcl.exeC:\Windows\system32\Edgfpbcl.exe73⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Efeblnbp.exeC:\Windows\system32\Efeblnbp.exe74⤵PID:2948
-
C:\Windows\SysWOW64\Elbkddpg.exeC:\Windows\system32\Elbkddpg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Fpngec32.exeC:\Windows\system32\Fpngec32.exe76⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Fblcaohd.exeC:\Windows\system32\Fblcaohd.exe77⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Fejomjgg.exeC:\Windows\system32\Fejomjgg.exe78⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Fldgjd32.exeC:\Windows\system32\Fldgjd32.exe79⤵PID:1236
-
C:\Windows\SysWOW64\Fppcjcfn.exeC:\Windows\system32\Fppcjcfn.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Fbnpfnfa.exeC:\Windows\system32\Fbnpfnfa.exe81⤵PID:596
-
C:\Windows\SysWOW64\Faapbk32.exeC:\Windows\system32\Faapbk32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Fihhch32.exeC:\Windows\system32\Fihhch32.exe83⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Fkjdkqcl.exeC:\Windows\system32\Fkjdkqcl.exe84⤵PID:3028
-
C:\Windows\SysWOW64\Fbqllnco.exeC:\Windows\system32\Fbqllnco.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Feoihi32.exeC:\Windows\system32\Feoihi32.exe86⤵PID:2656
-
C:\Windows\SysWOW64\Fliaecjo.exeC:\Windows\system32\Fliaecjo.exe87⤵PID:2764
-
C:\Windows\SysWOW64\Fmjmml32.exeC:\Windows\system32\Fmjmml32.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Fafimjhf.exeC:\Windows\system32\Fafimjhf.exe89⤵PID:2140
-
C:\Windows\SysWOW64\Fddeifgj.exeC:\Windows\system32\Fddeifgj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Fgcbeagn.exeC:\Windows\system32\Fgcbeagn.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Fojjfogp.exeC:\Windows\system32\Fojjfogp.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Fpkfng32.exeC:\Windows\system32\Fpkfng32.exe93⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Fhbnpdnq.exeC:\Windows\system32\Fhbnpdnq.exe94⤵PID:936
-
C:\Windows\SysWOW64\Gmoghklh.exeC:\Windows\system32\Gmoghklh.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Gdiode32.exeC:\Windows\system32\Gdiode32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Gkcgaoka.exeC:\Windows\system32\Gkcgaoka.exe97⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Gifgml32.exeC:\Windows\system32\Gifgml32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Glddig32.exeC:\Windows\system32\Glddig32.exe99⤵PID:2736
-
C:\Windows\SysWOW64\Gcnleahm.exeC:\Windows\system32\Gcnleahm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Ggjhfpqf.exeC:\Windows\system32\Ggjhfpqf.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Gihdblpi.exeC:\Windows\system32\Gihdblpi.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Glfqngom.exeC:\Windows\system32\Glfqngom.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Gcqika32.exeC:\Windows\system32\Gcqika32.exe104⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Geoegm32.exeC:\Windows\system32\Geoegm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Gikahkng.exeC:\Windows\system32\Gikahkng.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Gpdide32.exeC:\Windows\system32\Gpdide32.exe107⤵PID:1196
-
C:\Windows\SysWOW64\Gafelnkb.exeC:\Windows\system32\Gafelnkb.exe108⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Gjmnmk32.exeC:\Windows\system32\Gjmnmk32.exe109⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Ghpnihbo.exeC:\Windows\system32\Ghpnihbo.exe110⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Gknjecab.exeC:\Windows\system32\Gknjecab.exe111⤵PID:2664
-
C:\Windows\SysWOW64\Gcebfqbd.exeC:\Windows\system32\Gcebfqbd.exe112⤵PID:1648
-
C:\Windows\SysWOW64\Hdfoni32.exeC:\Windows\system32\Hdfoni32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Hlnfof32.exeC:\Windows\system32\Hlnfof32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Hkqgkcpp.exeC:\Windows\system32\Hkqgkcpp.exe115⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Hffkhlof.exeC:\Windows\system32\Hffkhlof.exe116⤵PID:576
-
C:\Windows\SysWOW64\Hhdgdg32.exeC:\Windows\system32\Hhdgdg32.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Hgggpded.exeC:\Windows\system32\Hgggpded.exe118⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Hqplhi32.exeC:\Windows\system32\Hqplhi32.exe119⤵PID:2336
-
C:\Windows\SysWOW64\Hjhqaobe.exeC:\Windows\system32\Hjhqaobe.exe120⤵PID:2556
-
C:\Windows\SysWOW64\Hdneohbk.exeC:\Windows\system32\Hdneohbk.exe121⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-