Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 05:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
-
Size
64KB
-
MD5
6053543c2c0f4fc75ce109f5566ad973
-
SHA1
eec22974b1ae7233a1ac7e397e14e440e0a3810f
-
SHA256
e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae
-
SHA512
412225cd2da70cfc9f56f8e8ca1887d3bfc49948ac6f9d0b8628826b68e913f449bff7834c23a675efafadb0788bd76f45d401e6b1851830d174a0512c6f1c0e
-
SSDEEP
768:4Sldw3B4+U9BLN1dTVoB5NbG78Sr+yqbMIp4Okqj5Jj2p/1H5ZXdnhaBGHBJ1nVW:4yw30LNdoBHG78SsbjkC2LRsBMu/H1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clcghk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjonicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljogknmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdehmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkafofde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkclcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndedhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkckihel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgjknijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdehmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cipaqqli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlodma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckeno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bglhcihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlgdaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnkkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbabpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefqlmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fojnhlch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjjie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbljh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmmhmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eadejede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkgdjqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqgnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhkdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllkhoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoedch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapcaocc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinolcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijddokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goadik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieepad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbkdkdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbphfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjkije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knicjipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmaialjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmiqlpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqbeapqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbdce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnojpdfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkafofde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohedi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlaqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmbeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hepffelp.exe -
Executes dropped EXE 64 IoCs
pid Process 832 Kgienc32.exe 2508 Kboill32.exe 2724 Kdmehh32.exe 2716 Ljjnpo32.exe 2312 Lnejqmie.exe 884 Lgnnicpe.exe 2648 Lnhffm32.exe 2256 Lqfbbh32.exe 2156 Loicnemp.exe 2280 Lgpkobnb.exe 2820 Ljogknmf.exe 2676 Lqiohh32.exe 576 Lokpcekn.exe 1136 Lbjlppja.exe 2104 Ljadqn32.exe 2228 Lkbphfab.exe 2528 Lcihicad.exe 1096 Lfhdeoqh.exe 1036 Lifqbjpk.exe 992 Lmbmbi32.exe 1964 Mncijanc.exe 2340 Mfjaknoe.exe 920 Memagk32.exe 2132 Mgkncfdc.exe 2260 Mpbfddef.exe 1704 Mbabpodi.exe 2448 Mikjmi32.exe 2160 Mjlgdaad.exe 2852 Mbcofobg.exe 2692 Mhpgnfpn.exe 2840 Mllcodig.exe 2688 Mnjokphk.exe 2164 Medggj32.exe 2808 Mhbdce32.exe 2436 Mnllppfh.exe 2100 Mdidhfdp.exe 2632 Mheqie32.exe 2908 Nmaialjp.exe 2044 Namebk32.exe 1288 Nbnajcig.exe 796 Njeikpij.exe 2408 Ndnncf32.exe 1980 Nfljpa32.exe 2400 Nikflm32.exe 980 Nlibhhme.exe 1952 Npdohg32.exe 1108 Nfogeamk.exe 3004 Nhpcmi32.exe 2764 Npgknf32.exe 1820 Nojljcjf.exe 2940 Nbehjb32.exe 2704 Neddfm32.exe 2860 Nhbpbi32.exe 2864 Nlnlcg32.exe 2624 Nolhoc32.exe 2056 Obhdpaqm.exe 2024 Oefqlmpq.exe 1912 Olpiig32.exe 1192 Oooeeb32.exe 1460 Omaepoml.exe 2296 Oamaan32.exe 2552 Oehmamnn.exe 2384 Ohginhma.exe 1068 Ogjjie32.exe -
Loads dropped DLL 64 IoCs
pid Process 1596 e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe 1596 e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe 832 Kgienc32.exe 832 Kgienc32.exe 2508 Kboill32.exe 2508 Kboill32.exe 2724 Kdmehh32.exe 2724 Kdmehh32.exe 2716 Ljjnpo32.exe 2716 Ljjnpo32.exe 2312 Lnejqmie.exe 2312 Lnejqmie.exe 884 Lgnnicpe.exe 884 Lgnnicpe.exe 2648 Lnhffm32.exe 2648 Lnhffm32.exe 2256 Lqfbbh32.exe 2256 Lqfbbh32.exe 2156 Loicnemp.exe 2156 Loicnemp.exe 2280 Lgpkobnb.exe 2280 Lgpkobnb.exe 2820 Ljogknmf.exe 2820 Ljogknmf.exe 2676 Lqiohh32.exe 2676 Lqiohh32.exe 576 Lokpcekn.exe 576 Lokpcekn.exe 1136 Lbjlppja.exe 1136 Lbjlppja.exe 2104 Ljadqn32.exe 2104 Ljadqn32.exe 2228 Lkbphfab.exe 2228 Lkbphfab.exe 2528 Lcihicad.exe 2528 Lcihicad.exe 1096 Lfhdeoqh.exe 1096 Lfhdeoqh.exe 1036 Lifqbjpk.exe 1036 Lifqbjpk.exe 992 Lmbmbi32.exe 992 Lmbmbi32.exe 1964 Mncijanc.exe 1964 Mncijanc.exe 2340 Mfjaknoe.exe 2340 Mfjaknoe.exe 920 Memagk32.exe 920 Memagk32.exe 2132 Mgkncfdc.exe 2132 Mgkncfdc.exe 2260 Mpbfddef.exe 2260 Mpbfddef.exe 1704 Mbabpodi.exe 1704 Mbabpodi.exe 2448 Mikjmi32.exe 2448 Mikjmi32.exe 2160 Mjlgdaad.exe 2160 Mjlgdaad.exe 2852 Mbcofobg.exe 2852 Mbcofobg.exe 2692 Mhpgnfpn.exe 2692 Mhpgnfpn.exe 2840 Mllcodig.exe 2840 Mllcodig.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Plnhbk32.exe Pnkhfnea.exe File created C:\Windows\SysWOW64\Pkjcgmjl.dll Gaigab32.exe File created C:\Windows\SysWOW64\Lbliiipi.dll Kkkgnmqb.exe File opened for modification C:\Windows\SysWOW64\Kcmbco32.exe Kjdmjiae.exe File created C:\Windows\SysWOW64\Qgenbkca.dll Mikjmi32.exe File opened for modification C:\Windows\SysWOW64\Opdkgj32.exe Omfoko32.exe File opened for modification C:\Windows\SysWOW64\Dadikaaj.exe Dmimkc32.exe File created C:\Windows\SysWOW64\Cmadfapb.dll Fkaomm32.exe File opened for modification C:\Windows\SysWOW64\Fbkgjgqi.exe Fchgnj32.exe File opened for modification C:\Windows\SysWOW64\Kpjlldmg.exe Knlpphnd.exe File created C:\Windows\SysWOW64\Ffdgef32.exe Fbhkdgbk.exe File created C:\Windows\SysWOW64\Gigllafc.exe Gdlplb32.exe File created C:\Windows\SysWOW64\Lgpkobnb.exe Loicnemp.exe File opened for modification C:\Windows\SysWOW64\Bnmmjd32.exe Bknani32.exe File created C:\Windows\SysWOW64\Cdccjgcl.dll Bkqnchgo.exe File opened for modification C:\Windows\SysWOW64\Bgjknijp.exe Bcnomjbg.exe File created C:\Windows\SysWOW64\Pbcbee32.dll Coofoghn.exe File created C:\Windows\SysWOW64\Ehlqao32.exe Eiipfbgj.exe File created C:\Windows\SysWOW64\Kkpcjmne.dll Hgconl32.exe File opened for modification C:\Windows\SysWOW64\Kkkgnmqb.exe Khlkba32.exe File opened for modification C:\Windows\SysWOW64\Fjpbeecn.exe Ffdgef32.exe File created C:\Windows\SysWOW64\Hpaaho32.exe Hmbdlc32.exe File created C:\Windows\SysWOW64\Oehmamnn.exe Oamaan32.exe File created C:\Windows\SysWOW64\Caglpoco.dll Ogjjie32.exe File created C:\Windows\SysWOW64\Poegde32.exe Pgnpcg32.exe File created C:\Windows\SysWOW64\Ehemnf32.dll Epchbm32.exe File created C:\Windows\SysWOW64\Niqebpek.dll Fjkije32.exe File opened for modification C:\Windows\SysWOW64\Klqmaebl.exe Kjbqei32.exe File opened for modification C:\Windows\SysWOW64\Joajdmma.exe Jkfncn32.exe File created C:\Windows\SysWOW64\Japfphle.exe Joajdmma.exe File created C:\Windows\SysWOW64\Ppanehoa.dll Njeikpij.exe File created C:\Windows\SysWOW64\Phegmipo.dll Pekffp32.exe File created C:\Windows\SysWOW64\Edgllicl.dll Afhfpc32.exe File created C:\Windows\SysWOW64\Bjfkde32.exe Bkckihel.exe File opened for modification C:\Windows\SysWOW64\Imgjfe32.exe Iikneggd.exe File created C:\Windows\SysWOW64\Jhhagb32.exe Jdlefd32.exe File opened for modification C:\Windows\SysWOW64\Kjngjj32.exe Kkkgnmqb.exe File opened for modification C:\Windows\SysWOW64\Ageedflj.exe Acjjch32.exe File created C:\Windows\SysWOW64\Cokaco32.dll Clqjblij.exe File created C:\Windows\SysWOW64\Gaigab32.exe Gnkkeg32.exe File created C:\Windows\SysWOW64\Dmkipb32.exe Dkmmdg32.exe File created C:\Windows\SysWOW64\Ijddokdo.exe Ihehbpel.exe File created C:\Windows\SysWOW64\Ipcjlaqd.exe Iapjad32.exe File created C:\Windows\SysWOW64\Kjgjpiob.exe Kfknpj32.exe File opened for modification C:\Windows\SysWOW64\Mbabpodi.exe Mpbfddef.exe File opened for modification C:\Windows\SysWOW64\Omaepoml.exe Oooeeb32.exe File opened for modification C:\Windows\SysWOW64\Ogqpjd32.exe Opghmjfg.exe File created C:\Windows\SysWOW64\Bglhcihn.exe Bcqlcj32.exe File created C:\Windows\SysWOW64\Ibdcnm32.exe Idabbpgj.exe File created C:\Windows\SysWOW64\Kjngjj32.exe Kkkgnmqb.exe File created C:\Windows\SysWOW64\Mpbfddef.exe Mgkncfdc.exe File created C:\Windows\SysWOW64\Ohginhma.exe Oehmamnn.exe File created C:\Windows\SysWOW64\Anjqdd32.exe Akldhi32.exe File opened for modification C:\Windows\SysWOW64\Idjlbqmb.exe Ialpfeno.exe File created C:\Windows\SysWOW64\Bclbhkdj.exe Bamfloef.exe File opened for modification C:\Windows\SysWOW64\Cboljemb.exe Cocpjf32.exe File created C:\Windows\SysWOW64\Gkhenlcd.exe Gglimm32.exe File opened for modification C:\Windows\SysWOW64\Mheqie32.exe Mdidhfdp.exe File opened for modification C:\Windows\SysWOW64\Npgknf32.exe Nhpcmi32.exe File created C:\Windows\SysWOW64\Kpihinap.dll Aediaoae.exe File created C:\Windows\SysWOW64\Epoemc32.dll Ehbgbngm.exe File opened for modification C:\Windows\SysWOW64\Hfmfjh32.exe Hnfnik32.exe File created C:\Windows\SysWOW64\Nolhoc32.exe Nlnlcg32.exe File opened for modification C:\Windows\SysWOW64\Akldhi32.exe Amidmldj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4788 4704 WerFault.exe 423 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Namebk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcihicad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhkdgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnahoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpiig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabjbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkije32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnkdeagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqmgbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldobjec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkclcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialpfeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbfddef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlqao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcofobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimdka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbqei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoedch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamfloef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfpofkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqfbbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlibhhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbjpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henipenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnkejeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnomjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqbaqccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnllppfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgjknijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokpcekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibnfpjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgienc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbdce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knlpphnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oglfodai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abacjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebnqcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbeapqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqlgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhplaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famhqclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijahik32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfkjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njeikpij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clecnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocgoilb.dll" Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afolpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceenilo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maimbpld.dll" Kcmbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfljpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcobjdg.dll" Opghmjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihn32.dll" Qnkdeagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoedch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abcppcdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkclcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhedachg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbjlppja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mncijanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onplon32.dll" Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lileonpo.dll" Fjimefie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamnjpji.dll" Kdaoacif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgpfdoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhdeoqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cekkaanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqebpek.dll" Fjkije32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henipenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnojqdi.dll" Knlpphnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaicpepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdcmn32.dll" Paojeafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlbcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inkgdjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfhllep.dll" Nfljpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnhjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcjeg32.dll" Kcflbpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefffo32.dll" Klqmaebl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnfmdnb.dll" Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllpfdfe.dll" Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbifo32.dll" Ppkahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfifc32.dll" Cibnfpjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiieqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nolhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfebbh32.dll" Poldnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihehbpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffnpdip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinlbk32.dll" Clecnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhcnb32.dll" Fffckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hinolcbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqcdgj32.dll" Lnhffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Occgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afhfpc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 832 1596 e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe 29 PID 1596 wrote to memory of 832 1596 e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe 29 PID 1596 wrote to memory of 832 1596 e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe 29 PID 1596 wrote to memory of 832 1596 e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe 29 PID 832 wrote to memory of 2508 832 Kgienc32.exe 30 PID 832 wrote to memory of 2508 832 Kgienc32.exe 30 PID 832 wrote to memory of 2508 832 Kgienc32.exe 30 PID 832 wrote to memory of 2508 832 Kgienc32.exe 30 PID 2508 wrote to memory of 2724 2508 Kboill32.exe 31 PID 2508 wrote to memory of 2724 2508 Kboill32.exe 31 PID 2508 wrote to memory of 2724 2508 Kboill32.exe 31 PID 2508 wrote to memory of 2724 2508 Kboill32.exe 31 PID 2724 wrote to memory of 2716 2724 Kdmehh32.exe 32 PID 2724 wrote to memory of 2716 2724 Kdmehh32.exe 32 PID 2724 wrote to memory of 2716 2724 Kdmehh32.exe 32 PID 2724 wrote to memory of 2716 2724 Kdmehh32.exe 32 PID 2716 wrote to memory of 2312 2716 Ljjnpo32.exe 33 PID 2716 wrote to memory of 2312 2716 Ljjnpo32.exe 33 PID 2716 wrote to memory of 2312 2716 Ljjnpo32.exe 33 PID 2716 wrote to memory of 2312 2716 Ljjnpo32.exe 33 PID 2312 wrote to memory of 884 2312 Lnejqmie.exe 34 PID 2312 wrote to memory of 884 2312 Lnejqmie.exe 34 PID 2312 wrote to memory of 884 2312 Lnejqmie.exe 34 PID 2312 wrote to memory of 884 2312 Lnejqmie.exe 34 PID 884 wrote to memory of 2648 884 Lgnnicpe.exe 35 PID 884 wrote to memory of 2648 884 Lgnnicpe.exe 35 PID 884 wrote to memory of 2648 884 Lgnnicpe.exe 35 PID 884 wrote to memory of 2648 884 Lgnnicpe.exe 35 PID 2648 wrote to memory of 2256 2648 Lnhffm32.exe 36 PID 2648 wrote to memory of 2256 2648 Lnhffm32.exe 36 PID 2648 wrote to memory of 2256 2648 Lnhffm32.exe 36 PID 2648 wrote to memory of 2256 2648 Lnhffm32.exe 36 PID 2256 wrote to memory of 2156 2256 Lqfbbh32.exe 37 PID 2256 wrote to memory of 2156 2256 Lqfbbh32.exe 37 PID 2256 wrote to memory of 2156 2256 Lqfbbh32.exe 37 PID 2256 wrote to memory of 2156 2256 Lqfbbh32.exe 37 PID 2156 wrote to memory of 2280 2156 Loicnemp.exe 38 PID 2156 wrote to memory of 2280 2156 Loicnemp.exe 38 PID 2156 wrote to memory of 2280 2156 Loicnemp.exe 38 PID 2156 wrote to memory of 2280 2156 Loicnemp.exe 38 PID 2280 wrote to memory of 2820 2280 Lgpkobnb.exe 39 PID 2280 wrote to memory of 2820 2280 Lgpkobnb.exe 39 PID 2280 wrote to memory of 2820 2280 Lgpkobnb.exe 39 PID 2280 wrote to memory of 2820 2280 Lgpkobnb.exe 39 PID 2820 wrote to memory of 2676 2820 Ljogknmf.exe 40 PID 2820 wrote to memory of 2676 2820 Ljogknmf.exe 40 PID 2820 wrote to memory of 2676 2820 Ljogknmf.exe 40 PID 2820 wrote to memory of 2676 2820 Ljogknmf.exe 40 PID 2676 wrote to memory of 576 2676 Lqiohh32.exe 41 PID 2676 wrote to memory of 576 2676 Lqiohh32.exe 41 PID 2676 wrote to memory of 576 2676 Lqiohh32.exe 41 PID 2676 wrote to memory of 576 2676 Lqiohh32.exe 41 PID 576 wrote to memory of 1136 576 Lokpcekn.exe 42 PID 576 wrote to memory of 1136 576 Lokpcekn.exe 42 PID 576 wrote to memory of 1136 576 Lokpcekn.exe 42 PID 576 wrote to memory of 1136 576 Lokpcekn.exe 42 PID 1136 wrote to memory of 2104 1136 Lbjlppja.exe 43 PID 1136 wrote to memory of 2104 1136 Lbjlppja.exe 43 PID 1136 wrote to memory of 2104 1136 Lbjlppja.exe 43 PID 1136 wrote to memory of 2104 1136 Lbjlppja.exe 43 PID 2104 wrote to memory of 2228 2104 Ljadqn32.exe 44 PID 2104 wrote to memory of 2228 2104 Ljadqn32.exe 44 PID 2104 wrote to memory of 2228 2104 Ljadqn32.exe 44 PID 2104 wrote to memory of 2228 2104 Ljadqn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe"C:\Users\Admin\AppData\Local\Temp\e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Kgienc32.exeC:\Windows\system32\Kgienc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Kboill32.exeC:\Windows\system32\Kboill32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ljjnpo32.exeC:\Windows\system32\Ljjnpo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Lnejqmie.exeC:\Windows\system32\Lnejqmie.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Lgnnicpe.exeC:\Windows\system32\Lgnnicpe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Lnhffm32.exeC:\Windows\system32\Lnhffm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Lqfbbh32.exeC:\Windows\system32\Lqfbbh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Loicnemp.exeC:\Windows\system32\Loicnemp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ljogknmf.exeC:\Windows\system32\Ljogknmf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Lqiohh32.exeC:\Windows\system32\Lqiohh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Lokpcekn.exeC:\Windows\system32\Lokpcekn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Lbjlppja.exeC:\Windows\system32\Lbjlppja.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ljadqn32.exeC:\Windows\system32\Ljadqn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Lcihicad.exeC:\Windows\system32\Lcihicad.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Lfhdeoqh.exeC:\Windows\system32\Lfhdeoqh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Lifqbjpk.exeC:\Windows\system32\Lifqbjpk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Lmbmbi32.exeC:\Windows\system32\Lmbmbi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Mfjaknoe.exeC:\Windows\system32\Mfjaknoe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Memagk32.exeC:\Windows\system32\Memagk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Mgkncfdc.exeC:\Windows\system32\Mgkncfdc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Mpbfddef.exeC:\Windows\system32\Mpbfddef.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Mbabpodi.exeC:\Windows\system32\Mbabpodi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Mjlgdaad.exeC:\Windows\system32\Mjlgdaad.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Mbcofobg.exeC:\Windows\system32\Mbcofobg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Mhpgnfpn.exeC:\Windows\system32\Mhpgnfpn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Mllcodig.exeC:\Windows\system32\Mllcodig.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Mnjokphk.exeC:\Windows\system32\Mnjokphk.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe34⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mhbdce32.exeC:\Windows\system32\Mhbdce32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Mheqie32.exeC:\Windows\system32\Mheqie32.exe38⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nmaialjp.exeC:\Windows\system32\Nmaialjp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Namebk32.exeC:\Windows\system32\Namebk32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Nbnajcig.exeC:\Windows\system32\Nbnajcig.exe41⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Njeikpij.exeC:\Windows\system32\Njeikpij.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Ndnncf32.exeC:\Windows\system32\Ndnncf32.exe43⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nfljpa32.exeC:\Windows\system32\Nfljpa32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Nikflm32.exeC:\Windows\system32\Nikflm32.exe45⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nlibhhme.exeC:\Windows\system32\Nlibhhme.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe47⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nfogeamk.exeC:\Windows\system32\Nfogeamk.exe48⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Nhpcmi32.exeC:\Windows\system32\Nhpcmi32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Npgknf32.exeC:\Windows\system32\Npgknf32.exe50⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe51⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Nbehjb32.exeC:\Windows\system32\Nbehjb32.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Neddfm32.exeC:\Windows\system32\Neddfm32.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Nlnlcg32.exeC:\Windows\system32\Nlnlcg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Nolhoc32.exeC:\Windows\system32\Nolhoc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe57⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Oefqlmpq.exeC:\Windows\system32\Oefqlmpq.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe61⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Oamaan32.exeC:\Windows\system32\Oamaan32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Ohginhma.exeC:\Windows\system32\Ohginhma.exe64⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ogjjie32.exeC:\Windows\system32\Ogjjie32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe66⤵
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe67⤵PID:1292
-
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe68⤵PID:904
-
C:\Windows\SysWOW64\Oglfodai.exeC:\Windows\system32\Oglfodai.exe69⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Opdkgj32.exeC:\Windows\system32\Opdkgj32.exe72⤵PID:2884
-
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe73⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe74⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe75⤵PID:2928
-
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe76⤵PID:2484
-
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ogqpjd32.exeC:\Windows\system32\Ogqpjd32.exe78⤵PID:2092
-
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe79⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe80⤵PID:2308
-
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe81⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe83⤵PID:1592
-
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe84⤵PID:1684
-
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe85⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe86⤵PID:1712
-
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe87⤵PID:2168
-
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe88⤵PID:2728
-
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe89⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe90⤵PID:2368
-
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe91⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe92⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe93⤵PID:308
-
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe94⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe95⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe96⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe97⤵PID:2348
-
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe98⤵PID:340
-
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe100⤵PID:2664
-
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe101⤵PID:2016
-
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe102⤵PID:2708
-
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe103⤵PID:1156
-
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe104⤵PID:564
-
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe105⤵PID:2204
-
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe107⤵PID:2968
-
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe108⤵PID:3028
-
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe109⤵PID:3032
-
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe110⤵PID:1776
-
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe112⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe113⤵PID:1440
-
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe115⤵PID:2620
-
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe116⤵PID:2064
-
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe117⤵PID:2920
-
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe118⤵PID:2000
-
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe119⤵PID:3040
-
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe120⤵PID:1944
-
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-