Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 02:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe
-
Size
67KB
-
MD5
a4d8fc1d0f7d7a3fdbedff301d10961f
-
SHA1
8d91c028ad5ff9d96d8450152fa825fcc4b93244
-
SHA256
afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05
-
SHA512
3473956defc9cbba80445fe957dd6a675d28aa79959e616021fcd8cb30e23014592301b62f6ba8297c5690d23b8bc292cd9f92003e5dd3c3648f0d0cf0dfef61
-
SSDEEP
1536:C9Wft3InepQ4fy8GXHbZyokjPQ+FzBveEk8OS5w1cgCe8uC:LJInEyPVD+vVk85wugCe8uC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnibdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piieicgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohbjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popgboae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mginjnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpckce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djeljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecodfogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgmiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gplcia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdqpdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlghpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfahaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmdfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakmghbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbodpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqglng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcqep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fillabde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicmadmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annpaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfobllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmhqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaajfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocqhcqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhelghol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhodpidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpadaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfggicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmhqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idnppjcj.exe -
Executes dropped EXE 64 IoCs
pid Process 2060 Ghacfmic.exe 2988 Gdhdkn32.exe 2864 Gfkmie32.exe 2756 Gfnjne32.exe 2920 Hkolakkb.exe 2656 Hkahgk32.exe 2184 Igmbgk32.exe 1120 Iphgln32.exe 2276 Ibipmiek.exe 1976 Jbnjhh32.exe 1656 Jeqopcld.exe 2956 Jokqnhpa.exe 2156 Kalipcmb.exe 2412 Kijkje32.exe 2560 Kcdlhj32.exe 940 Kkpqlm32.exe 2964 Ldmopa32.exe 3028 Lnecigcp.exe 1540 Lcdhgn32.exe 2792 Mjqmig32.exe 676 Mblbnj32.exe 2148 Mdogedmh.exe 2108 Mqehjecl.exe 988 Nmofdf32.exe 2996 Nnnbni32.exe 2356 Npbklabl.exe 1600 Obbdml32.exe 2700 Obgnhkkh.exe 2712 Ohfcfb32.exe 2616 Odmckcmq.exe 2620 Pacajg32.exe 2680 Pfbfhm32.exe 2012 Popgboae.exe 1816 Qhilkege.exe 1044 Qaapcj32.exe 1952 Ahmefdcp.exe 1748 Agbbgqhh.exe 2944 Akpkmo32.exe 2228 Alddjg32.exe 624 Bcpimq32.exe 2668 Bogjaamh.exe 1040 Bhbkpgbf.exe 1784 Bbjpil32.exe 1140 Bqolji32.exe 372 Cncmcm32.exe 1680 Cmhjdiap.exe 2484 Cqfbjhgf.exe 1236 Cjogcm32.exe 1652 Cehhdkjf.exe 2692 Dblhmoio.exe 1576 Dgiaefgg.exe 1224 Daaenlng.exe 2764 Dbabho32.exe 748 Djlfma32.exe 2928 Dhpgfeao.exe 2640 Dmmpolof.exe 1260 Ejaphpnp.exe 1756 Eifmimch.exe 2028 Efjmbaba.exe 1136 Elgfkhpi.exe 2968 Efljhq32.exe 1048 Ehnfpifm.exe 1704 Elkofg32.exe 1632 Fahhnn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2280 afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe 2280 afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe 2060 Ghacfmic.exe 2060 Ghacfmic.exe 2988 Gdhdkn32.exe 2988 Gdhdkn32.exe 2864 Gfkmie32.exe 2864 Gfkmie32.exe 2756 Gfnjne32.exe 2756 Gfnjne32.exe 2920 Hkolakkb.exe 2920 Hkolakkb.exe 2656 Hkahgk32.exe 2656 Hkahgk32.exe 2184 Igmbgk32.exe 2184 Igmbgk32.exe 1120 Iphgln32.exe 1120 Iphgln32.exe 2276 Ibipmiek.exe 2276 Ibipmiek.exe 1976 Jbnjhh32.exe 1976 Jbnjhh32.exe 1656 Jeqopcld.exe 1656 Jeqopcld.exe 2956 Jokqnhpa.exe 2956 Jokqnhpa.exe 2156 Kalipcmb.exe 2156 Kalipcmb.exe 2412 Kijkje32.exe 2412 Kijkje32.exe 2560 Kcdlhj32.exe 2560 Kcdlhj32.exe 940 Kkpqlm32.exe 940 Kkpqlm32.exe 2964 Ldmopa32.exe 2964 Ldmopa32.exe 3028 Lnecigcp.exe 3028 Lnecigcp.exe 1540 Lcdhgn32.exe 1540 Lcdhgn32.exe 2792 Mjqmig32.exe 2792 Mjqmig32.exe 676 Mblbnj32.exe 676 Mblbnj32.exe 2148 Mdogedmh.exe 2148 Mdogedmh.exe 2108 Mqehjecl.exe 2108 Mqehjecl.exe 988 Nmofdf32.exe 988 Nmofdf32.exe 2996 Nnnbni32.exe 2996 Nnnbni32.exe 2356 Npbklabl.exe 2356 Npbklabl.exe 1600 Obbdml32.exe 1600 Obbdml32.exe 2700 Obgnhkkh.exe 2700 Obgnhkkh.exe 2712 Ohfcfb32.exe 2712 Ohfcfb32.exe 2616 Odmckcmq.exe 2616 Odmckcmq.exe 2620 Pacajg32.exe 2620 Pacajg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hkpnjd32.exe Heqimm32.exe File created C:\Windows\SysWOW64\Gjdnoa32.dll Jgkdigfa.exe File created C:\Windows\SysWOW64\Ondomh32.dll Imkeneja.exe File created C:\Windows\SysWOW64\Ncejcg32.exe Nnhakp32.exe File created C:\Windows\SysWOW64\Mlnbmikh.exe Mojaceln.exe File created C:\Windows\SysWOW64\Kabngjla.exe Kigibh32.exe File created C:\Windows\SysWOW64\Pgaahh32.exe Pnimpcke.exe File created C:\Windows\SysWOW64\Ejlgjcji.dll Kiqdmm32.exe File created C:\Windows\SysWOW64\Gaaonn32.dll Kkdnke32.exe File created C:\Windows\SysWOW64\Aogmdk32.exe Acplpjpj.exe File opened for modification C:\Windows\SysWOW64\Ldmopa32.exe Kkpqlm32.exe File opened for modification C:\Windows\SysWOW64\Fodgkp32.exe Felcbk32.exe File created C:\Windows\SysWOW64\Jkolkfab.dll Elejqm32.exe File created C:\Windows\SysWOW64\Ffeejokj.dll Kcamln32.exe File created C:\Windows\SysWOW64\Fmmpia32.dll Kgelahmn.exe File created C:\Windows\SysWOW64\Lcohahpn.exe Lpnopm32.exe File opened for modification C:\Windows\SysWOW64\Pbgefa32.exe Pgaahh32.exe File created C:\Windows\SysWOW64\Fqheei32.exe Fjomhonj.exe File opened for modification C:\Windows\SysWOW64\Pbkgegad.exe Oicbma32.exe File created C:\Windows\SysWOW64\Ihjpll32.dll Jnbpqb32.exe File created C:\Windows\SysWOW64\Camlob32.dll Gllpflng.exe File created C:\Windows\SysWOW64\Hfdmhh32.exe Hhopgkin.exe File created C:\Windows\SysWOW64\Dhodpidl.exe Dcblgbfe.exe File opened for modification C:\Windows\SysWOW64\Empphi32.exe Eplood32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fahhnn32.exe File opened for modification C:\Windows\SysWOW64\Aeokba32.exe Anecfgdc.exe File opened for modification C:\Windows\SysWOW64\Emjjfb32.exe Egmbnkie.exe File opened for modification C:\Windows\SysWOW64\Mlnbmikh.exe Mojaceln.exe File created C:\Windows\SysWOW64\Kikakd32.dll Eigbfb32.exe File created C:\Windows\SysWOW64\Cedhac32.dll Cdgdlnop.exe File created C:\Windows\SysWOW64\Dhmcaf32.dll Ldmopa32.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Cokdhpcc.dll Kkckblgq.exe File created C:\Windows\SysWOW64\Jpomnilc.exe Iokdaa32.exe File created C:\Windows\SysWOW64\Mbkkepio.exe Mlnbmikh.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kablnadm.exe File created C:\Windows\SysWOW64\Eljgid32.dll Ieeqpi32.exe File created C:\Windows\SysWOW64\Kdfmlc32.exe Jbedkhie.exe File created C:\Windows\SysWOW64\Agnjge32.exe Aiimfi32.exe File opened for modification C:\Windows\SysWOW64\Kbgnil32.exe Jfpndkel.exe File opened for modification C:\Windows\SysWOW64\Pacajg32.exe Odmckcmq.exe File opened for modification C:\Windows\SysWOW64\Ofafgipc.exe Nndemg32.exe File opened for modification C:\Windows\SysWOW64\Cqleifna.exe Cchdpbog.exe File created C:\Windows\SysWOW64\Gfpjgn32.exe Gfmmanif.exe File created C:\Windows\SysWOW64\Oifbhdjc.dll Llgllj32.exe File created C:\Windows\SysWOW64\Opcqhn32.dll Fnkblm32.exe File opened for modification C:\Windows\SysWOW64\Ododdlcd.exe Oejgbonl.exe File created C:\Windows\SysWOW64\Emgdmc32.exe Ebappk32.exe File opened for modification C:\Windows\SysWOW64\Gplcia32.exe Glnkcc32.exe File opened for modification C:\Windows\SysWOW64\Edmkei32.exe Egikle32.exe File opened for modification C:\Windows\SysWOW64\Oolelj32.exe Ohbmppia.exe File created C:\Windows\SysWOW64\Ekofgnna.exe Edenjc32.exe File opened for modification C:\Windows\SysWOW64\Edohki32.exe Enepnoji.exe File opened for modification C:\Windows\SysWOW64\Fepnhjdh.exe Ehlmnfeo.exe File created C:\Windows\SysWOW64\Eajhgg32.exe Elnonp32.exe File created C:\Windows\SysWOW64\Nmggllha.exe Mkfojakp.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Omqjgl32.exe File opened for modification C:\Windows\SysWOW64\Clclhmin.exe Cbkgog32.exe File opened for modification C:\Windows\SysWOW64\Gdihmo32.exe Gjpddigo.exe File created C:\Windows\SysWOW64\Kdjceb32.exe Kkaolm32.exe File created C:\Windows\SysWOW64\Kkpqlm32.exe Kcdlhj32.exe File created C:\Windows\SysWOW64\Dmlibo32.dll Nbilhkig.exe File created C:\Windows\SysWOW64\Igffogeb.dll Ncejcg32.exe File created C:\Windows\SysWOW64\Poinfpdk.dll Fillabde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3552 2216 WerFault.exe 999 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjnnbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpnag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabplobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfjgaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngencpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccdqloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhgbibgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijolbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipefmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkghqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgdhcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankhmncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpfcnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmpolof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogabql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbqgolpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmmanif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkkbcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnmoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmelfeqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elejqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpndkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlpadaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmipmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolhdbjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdiokf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manjaldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkeneja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcekkkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaheqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmhqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajibckpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpjgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbdnbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbodi32.dll" Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhnmpigi.dll" Jeofnpke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfonlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fepnhjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakjdp32.dll" Fladmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfabpac.dll" Igcjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njlcah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnbbkodn.dll" Emjjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjpacdo.dll" Jbpfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbjgneh.dll" Pldknmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfdqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mookod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikgfdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnoai32.dll" Fkgpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknpan32.dll" Kigibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhbed32.dll" Ddjphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqifajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfdcbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjnnqk.dll" Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll" Aijfihip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjddkg32.dll" Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfddkmch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celpqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcenmcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmmfl32.dll" Bemmenhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noohlkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmieogma.dll" Kioiffcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Embbek32.dll" Cofofolh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmekpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgdlnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkpefi.dll" Dmcfngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoecbheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emadmmop.dll" Jempcgad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfaocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdbnlgi.dll" Hefibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfnb32.dll" Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Bggjjlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifqfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnicddki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnemg32.dll" Mginjnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlqgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gghloe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeeff32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2060 2280 afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe 31 PID 2280 wrote to memory of 2060 2280 afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe 31 PID 2280 wrote to memory of 2060 2280 afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe 31 PID 2280 wrote to memory of 2060 2280 afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe 31 PID 2060 wrote to memory of 2988 2060 Ghacfmic.exe 32 PID 2060 wrote to memory of 2988 2060 Ghacfmic.exe 32 PID 2060 wrote to memory of 2988 2060 Ghacfmic.exe 32 PID 2060 wrote to memory of 2988 2060 Ghacfmic.exe 32 PID 2988 wrote to memory of 2864 2988 Gdhdkn32.exe 33 PID 2988 wrote to memory of 2864 2988 Gdhdkn32.exe 33 PID 2988 wrote to memory of 2864 2988 Gdhdkn32.exe 33 PID 2988 wrote to memory of 2864 2988 Gdhdkn32.exe 33 PID 2864 wrote to memory of 2756 2864 Gfkmie32.exe 34 PID 2864 wrote to memory of 2756 2864 Gfkmie32.exe 34 PID 2864 wrote to memory of 2756 2864 Gfkmie32.exe 34 PID 2864 wrote to memory of 2756 2864 Gfkmie32.exe 34 PID 2756 wrote to memory of 2920 2756 Gfnjne32.exe 35 PID 2756 wrote to memory of 2920 2756 Gfnjne32.exe 35 PID 2756 wrote to memory of 2920 2756 Gfnjne32.exe 35 PID 2756 wrote to memory of 2920 2756 Gfnjne32.exe 35 PID 2920 wrote to memory of 2656 2920 Hkolakkb.exe 36 PID 2920 wrote to memory of 2656 2920 Hkolakkb.exe 36 PID 2920 wrote to memory of 2656 2920 Hkolakkb.exe 36 PID 2920 wrote to memory of 2656 2920 Hkolakkb.exe 36 PID 2656 wrote to memory of 2184 2656 Hkahgk32.exe 37 PID 2656 wrote to memory of 2184 2656 Hkahgk32.exe 37 PID 2656 wrote to memory of 2184 2656 Hkahgk32.exe 37 PID 2656 wrote to memory of 2184 2656 Hkahgk32.exe 37 PID 2184 wrote to memory of 1120 2184 Igmbgk32.exe 38 PID 2184 wrote to memory of 1120 2184 Igmbgk32.exe 38 PID 2184 wrote to memory of 1120 2184 Igmbgk32.exe 38 PID 2184 wrote to memory of 1120 2184 Igmbgk32.exe 38 PID 1120 wrote to memory of 2276 1120 Iphgln32.exe 39 PID 1120 wrote to memory of 2276 1120 Iphgln32.exe 39 PID 1120 wrote to memory of 2276 1120 Iphgln32.exe 39 PID 1120 wrote to memory of 2276 1120 Iphgln32.exe 39 PID 2276 wrote to memory of 1976 2276 Ibipmiek.exe 40 PID 2276 wrote to memory of 1976 2276 Ibipmiek.exe 40 PID 2276 wrote to memory of 1976 2276 Ibipmiek.exe 40 PID 2276 wrote to memory of 1976 2276 Ibipmiek.exe 40 PID 1976 wrote to memory of 1656 1976 Jbnjhh32.exe 41 PID 1976 wrote to memory of 1656 1976 Jbnjhh32.exe 41 PID 1976 wrote to memory of 1656 1976 Jbnjhh32.exe 41 PID 1976 wrote to memory of 1656 1976 Jbnjhh32.exe 41 PID 1656 wrote to memory of 2956 1656 Jeqopcld.exe 42 PID 1656 wrote to memory of 2956 1656 Jeqopcld.exe 42 PID 1656 wrote to memory of 2956 1656 Jeqopcld.exe 42 PID 1656 wrote to memory of 2956 1656 Jeqopcld.exe 42 PID 2956 wrote to memory of 2156 2956 Jokqnhpa.exe 43 PID 2956 wrote to memory of 2156 2956 Jokqnhpa.exe 43 PID 2956 wrote to memory of 2156 2956 Jokqnhpa.exe 43 PID 2956 wrote to memory of 2156 2956 Jokqnhpa.exe 43 PID 2156 wrote to memory of 2412 2156 Kalipcmb.exe 44 PID 2156 wrote to memory of 2412 2156 Kalipcmb.exe 44 PID 2156 wrote to memory of 2412 2156 Kalipcmb.exe 44 PID 2156 wrote to memory of 2412 2156 Kalipcmb.exe 44 PID 2412 wrote to memory of 2560 2412 Kijkje32.exe 45 PID 2412 wrote to memory of 2560 2412 Kijkje32.exe 45 PID 2412 wrote to memory of 2560 2412 Kijkje32.exe 45 PID 2412 wrote to memory of 2560 2412 Kijkje32.exe 45 PID 2560 wrote to memory of 940 2560 Kcdlhj32.exe 46 PID 2560 wrote to memory of 940 2560 Kcdlhj32.exe 46 PID 2560 wrote to memory of 940 2560 Kcdlhj32.exe 46 PID 2560 wrote to memory of 940 2560 Kcdlhj32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe"C:\Users\Admin\AppData\Local\Temp\afd469dce0b4b97a38ddb5671989292e7edfa66b3d9972c4eb10743b6f267a05.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe35⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe36⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe38⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe39⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe40⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe41⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe42⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe43⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe44⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe45⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe46⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Cmhjdiap.exeC:\Windows\system32\Cmhjdiap.exe47⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe48⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe50⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe52⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe53⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe54⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe55⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe56⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Dmmpolof.exeC:\Windows\system32\Dmmpolof.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe58⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe59⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe60⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe62⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe63⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe66⤵PID:1492
-
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe67⤵PID:1560
-
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe68⤵PID:2972
-
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe69⤵PID:1272
-
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe70⤵PID:2548
-
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe71⤵PID:2264
-
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe72⤵PID:2884
-
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe73⤵PID:2744
-
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe75⤵PID:1104
-
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe76⤵PID:1996
-
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe77⤵PID:1108
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe78⤵PID:2840
-
C:\Windows\SysWOW64\Hcgmfgfd.exeC:\Windows\system32\Hcgmfgfd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe80⤵PID:1332
-
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe81⤵PID:1000
-
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:488 -
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe84⤵PID:2232
-
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe85⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe86⤵PID:2124
-
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe87⤵PID:2580
-
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe88⤵PID:2876
-
C:\Windows\SysWOW64\Jmipdo32.exeC:\Windows\system32\Jmipdo32.exe89⤵PID:2684
-
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe90⤵PID:2092
-
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe91⤵PID:820
-
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe92⤵PID:852
-
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe93⤵PID:1132
-
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe96⤵PID:1804
-
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe97⤵
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe98⤵PID:1060
-
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe99⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe100⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe101⤵PID:2576
-
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe103⤵PID:3004
-
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe104⤵PID:2724
-
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe105⤵PID:1392
-
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe106⤵PID:1124
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe107⤵PID:1964
-
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe108⤵PID:2976
-
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe109⤵PID:2300
-
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe110⤵PID:1924
-
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe111⤵PID:1200
-
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe112⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe113⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe114⤵PID:1596
-
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe116⤵PID:2132
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe117⤵PID:2016
-
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe118⤵PID:2008
-
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe120⤵PID:1912
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe121⤵PID:1244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-