Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 01:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe
-
Size
664KB
-
MD5
f8e55e5a8fe91b2eda392010fffa7236
-
SHA1
6463075d0bf9de3e85b27e01af743f5e2568b53b
-
SHA256
a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669
-
SHA512
44d374c19fb92e26e4891e777607cbf69bdf7a580d17196d02cef9bbfb8615965efc2d47918a0fb0b24b5629f71395de7c6e865cd65666fd7f779abdd0722986
-
SSDEEP
12288:rm/NdpV6yYPVpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmR54:MNdWVWleKWNUir2MhNl6zX3w9As/xO2k
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdejpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebnlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglhghgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpfchka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqlfjfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Benpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnlba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nogmkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhial32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihefjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhaboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdjaeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doqmjaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdmdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Diklpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhgkdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pafpjljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibmhjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adohpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gphokhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdonpjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nldgdpjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbhmehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jabajc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chickknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmojcceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpccgppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdmogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcedbefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dihojnqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okomappb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjqpcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlifjjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkkhfmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlkonpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clbdobpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjjebed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjdmggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hinlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onelbfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdpjaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gohjnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifljcanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfgkleh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpagbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfkkhmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgpjgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpoleilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffiebc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2396 Djkodg32.exe 612 Ejpipf32.exe 2868 Eponmmaj.exe 2724 Fbbcdh32.exe 2648 Fbdpjgjf.exe 1196 Fpojlp32.exe 1700 Fgibijkb.exe 2632 Gpagbp32.exe 796 Gkfkoi32.exe 1996 Gpccgppq.exe 1660 Geplpfnh.exe 1632 Gpfpmonn.exe 1200 Ginefe32.exe 2380 Gcfioj32.exe 2256 Ghcbga32.exe 2572 Gomjckqc.exe 2500 Gdjblboj.exe 868 Hkdkhl32.exe 752 Hfiofefm.exe 1776 Hkfgnldd.exe 1328 Happkf32.exe 2564 Hdolga32.exe 1956 Hkidclbb.exe 876 Hbblpf32.exe 1620 Hcdihn32.exe 756 Hjnaehgj.exe 2700 Hqhiab32.exe 2748 Hgbanlfc.exe 2716 Hnljkf32.exe 568 Homfboco.exe 2656 Iiekkdjo.exe 1096 Ibnodj32.exe 2096 Ikfdmogp.exe 1696 Ibplji32.exe 2460 Iijdfc32.exe 2968 Ikhqbo32.exe 2340 Ibbioilj.exe 2124 Iilalc32.exe 1504 Iofiimkd.exe 2152 Iionacad.exe 2268 Jbgbjh32.exe 2568 Jgdkbo32.exe 828 Jalolemm.exe 1624 Jjdcdjcm.exe 2684 Jpalmaad.exe 3044 Jjgpjjak.exe 2592 Jcodcp32.exe 556 Jmhile32.exe 2148 Jfpndkel.exe 1556 Klmfmacc.exe 2092 Kfbjjjci.exe 1112 Kpkocpjj.exe 1988 Kalkjh32.exe 296 Klapha32.exe 1564 Kblhdkgk.exe 2412 Kdmdlc32.exe 2304 Kmeiei32.exe 2376 Kfnmnojj.exe 1780 Lpfagd32.exe 2948 Lkkfdmpq.exe 1260 Lphnlcnh.exe 2936 Lgbfin32.exe 1764 Lmlofhmb.exe 1616 Ldfgbb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2280 a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe 2280 a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe 2396 Djkodg32.exe 2396 Djkodg32.exe 612 Ejpipf32.exe 612 Ejpipf32.exe 2868 Eponmmaj.exe 2868 Eponmmaj.exe 2724 Fbbcdh32.exe 2724 Fbbcdh32.exe 2648 Fbdpjgjf.exe 2648 Fbdpjgjf.exe 1196 Fpojlp32.exe 1196 Fpojlp32.exe 1700 Fgibijkb.exe 1700 Fgibijkb.exe 2632 Gpagbp32.exe 2632 Gpagbp32.exe 796 Gkfkoi32.exe 796 Gkfkoi32.exe 1996 Gpccgppq.exe 1996 Gpccgppq.exe 1660 Geplpfnh.exe 1660 Geplpfnh.exe 1632 Gpfpmonn.exe 1632 Gpfpmonn.exe 1200 Ginefe32.exe 1200 Ginefe32.exe 2380 Gcfioj32.exe 2380 Gcfioj32.exe 2256 Ghcbga32.exe 2256 Ghcbga32.exe 2572 Gomjckqc.exe 2572 Gomjckqc.exe 2500 Gdjblboj.exe 2500 Gdjblboj.exe 868 Hkdkhl32.exe 868 Hkdkhl32.exe 752 Hfiofefm.exe 752 Hfiofefm.exe 1776 Hkfgnldd.exe 1776 Hkfgnldd.exe 1328 Happkf32.exe 1328 Happkf32.exe 2564 Hdolga32.exe 2564 Hdolga32.exe 1956 Hkidclbb.exe 1956 Hkidclbb.exe 876 Hbblpf32.exe 876 Hbblpf32.exe 1620 Hcdihn32.exe 1620 Hcdihn32.exe 756 Hjnaehgj.exe 756 Hjnaehgj.exe 2700 Hqhiab32.exe 2700 Hqhiab32.exe 2748 Hgbanlfc.exe 2748 Hgbanlfc.exe 2716 Hnljkf32.exe 2716 Hnljkf32.exe 568 Homfboco.exe 568 Homfboco.exe 2656 Iiekkdjo.exe 2656 Iiekkdjo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ibmhjc32.exe Ijfpif32.exe File opened for modification C:\Windows\SysWOW64\Hdolga32.exe Happkf32.exe File created C:\Windows\SysWOW64\Ibbioilj.exe Ikhqbo32.exe File opened for modification C:\Windows\SysWOW64\Jmhile32.exe Jcodcp32.exe File created C:\Windows\SysWOW64\Klmfmacc.exe Jfpndkel.exe File created C:\Windows\SysWOW64\Pdmplfkj.dll Gpagbp32.exe File created C:\Windows\SysWOW64\Ojjaih32.dll Npecjdaf.exe File created C:\Windows\SysWOW64\Aflmbj32.exe Algida32.exe File created C:\Windows\SysWOW64\Hjqboc32.dll Boakgapg.exe File opened for modification C:\Windows\SysWOW64\Bdkpob32.exe Bjclfmfe.exe File created C:\Windows\SysWOW64\Injlmcib.exe Ihmcelkk.exe File created C:\Windows\SysWOW64\Dbdippia.dll Ogigpllh.exe File created C:\Windows\SysWOW64\Hpkjfq32.dll Filnjk32.exe File created C:\Windows\SysWOW64\Ijcmipjh.exe Ipkhpk32.exe File created C:\Windows\SysWOW64\Apgnpo32.exe Aeajcf32.exe File opened for modification C:\Windows\SysWOW64\Hhnpih32.exe Hepdml32.exe File created C:\Windows\SysWOW64\Njmlqd32.dll Ogpkhb32.exe File created C:\Windows\SysWOW64\Fblipohc.dll Diklpn32.exe File opened for modification C:\Windows\SysWOW64\Lpqnpacp.exe Lghigl32.exe File created C:\Windows\SysWOW64\Pmimpf32.exe Ppelfbol.exe File opened for modification C:\Windows\SysWOW64\Hbblpf32.exe Hkidclbb.exe File opened for modification C:\Windows\SysWOW64\Pbnfdpge.exe Pjqdjn32.exe File created C:\Windows\SysWOW64\Fdoknb32.dll Eqklhh32.exe File opened for modification C:\Windows\SysWOW64\Gpfpmonn.exe Geplpfnh.exe File created C:\Windows\SysWOW64\Chdjpl32.exe Cfemdp32.exe File created C:\Windows\SysWOW64\Lpkmkl32.exe Lmmaoq32.exe File created C:\Windows\SysWOW64\Mjoekh32.dll Lpkmkl32.exe File created C:\Windows\SysWOW64\Cjmfag32.dll Enokidgl.exe File opened for modification C:\Windows\SysWOW64\Mojdlm32.exe Mmigdend.exe File created C:\Windows\SysWOW64\Ngahmngp.exe Npgppdpc.exe File created C:\Windows\SysWOW64\Odflnaqp.dll Hincna32.exe File created C:\Windows\SysWOW64\Jdhmel32.exe Jjcigcmd.exe File created C:\Windows\SysWOW64\Klhegdbg.dll Kfcmcckn.exe File opened for modification C:\Windows\SysWOW64\Cbokoa32.exe Ckebbgoj.exe File created C:\Windows\SysWOW64\Debmplbf.dll Ghqqpd32.exe File created C:\Windows\SysWOW64\Nogbpf32.dll Iilalc32.exe File opened for modification C:\Windows\SysWOW64\Gmhmdc32.exe Glgqlkdl.exe File created C:\Windows\SysWOW64\Jkldgjnj.dll Gaibpa32.exe File opened for modification C:\Windows\SysWOW64\Bkbjmd32.exe Bdiaqj32.exe File created C:\Windows\SysWOW64\Cbokoa32.exe Ckebbgoj.exe File opened for modification C:\Windows\SysWOW64\Ndqokc32.exe Npecjdaf.exe File created C:\Windows\SysWOW64\Dqqqokla.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Gnaffpoi.exe Fpnekc32.exe File created C:\Windows\SysWOW64\Oeakle32.dll Hfjglppd.exe File opened for modification C:\Windows\SysWOW64\Kblhdkgk.exe Klapha32.exe File created C:\Windows\SysWOW64\Kbnnhm32.dll Ldfgbb32.exe File opened for modification C:\Windows\SysWOW64\Dklibf32.exe Cdbqflae.exe File opened for modification C:\Windows\SysWOW64\Pgpjpnhk.exe Pafacd32.exe File created C:\Windows\SysWOW64\Jjdcdjcm.exe Jalolemm.exe File opened for modification C:\Windows\SysWOW64\Hlijan32.exe Hoeigi32.exe File created C:\Windows\SysWOW64\Jeidob32.exe Jibcja32.exe File opened for modification C:\Windows\SysWOW64\Iqhhin32.exe Injlmcib.exe File created C:\Windows\SysWOW64\Oambdf32.dll Iofiimkd.exe File created C:\Windows\SysWOW64\Qmomelml.exe Qfedhb32.exe File created C:\Windows\SysWOW64\Cbhcankf.exe Cmkkhfmn.exe File created C:\Windows\SysWOW64\Dcjleq32.exe Dnmdmj32.exe File created C:\Windows\SysWOW64\Homfboco.exe Hnljkf32.exe File created C:\Windows\SysWOW64\Hignfnfk.dll Alfflhpa.exe File created C:\Windows\SysWOW64\Iqhhin32.exe Injlmcib.exe File opened for modification C:\Windows\SysWOW64\Aihmhe32.exe Aamhdckg.exe File opened for modification C:\Windows\SysWOW64\Iqnlpq32.exe Ikqcgj32.exe File created C:\Windows\SysWOW64\Eqjjhn32.dll Hgnjlfam.exe File created C:\Windows\SysWOW64\Fjkgampo.exe Fpecddpi.exe File created C:\Windows\SysWOW64\Dpdoea32.dll Baannfim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5688 2732 WerFault.exe 607 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbanlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmfmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjqpcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecpipck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcngkmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaffpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmfmacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnflmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkoijhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfijmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqajqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjogidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnjlfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldgdpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfalpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impblnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnagijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihnqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddlcgjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcikllja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlijan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chccfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbakmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncaejie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhcmig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffiebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijbnppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfgkleh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfdjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfiofefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdahbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Condfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpagbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilalko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjglcmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmcelkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhghgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocglmcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafpjljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipedihgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dppiddie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obddhc32.dll" Gijncn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhalag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcedbefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elnagijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncghha32.dll" Lmondpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhmhpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkaonifh.dll" Fibqhibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqfkj32.dll" Pphilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angohn32.dll" Jdhmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Homfboco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdkpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdoea32.dll" Baannfim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfjgeee.dll" Jlqniihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfdmc32.dll" Pkglenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epmcqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpcaeghc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfjdmggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmmihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hepdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqboc32.dll" Boakgapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdodbj32.dll" Ojgkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnpfckmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adohpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofkoijhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifljcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjcfjoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqmkflcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmlkcpgf.dll" Bdpjjaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppopgcbc.dll" Bhdpjaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpnpam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflffnhn.dll" Emogdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbedmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efllcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajceba32.dll" Neohbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Indkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hafbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linmmf32.dll" Mmlmmdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqqbmpp.dll" Beignlig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemnml32.dll" Nahemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifngiqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanoiobl.dll" Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnoepam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioocfn32.dll" Gbihmcqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpfdpmho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cocnanmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkhkbmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbgbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchligab.dll" Lpfagd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hignfnfk.dll" Alfflhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpndlobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odbhofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfcco32.dll" Jqakompl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2396 2280 a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe 29 PID 2280 wrote to memory of 2396 2280 a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe 29 PID 2280 wrote to memory of 2396 2280 a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe 29 PID 2280 wrote to memory of 2396 2280 a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe 29 PID 2396 wrote to memory of 612 2396 Djkodg32.exe 30 PID 2396 wrote to memory of 612 2396 Djkodg32.exe 30 PID 2396 wrote to memory of 612 2396 Djkodg32.exe 30 PID 2396 wrote to memory of 612 2396 Djkodg32.exe 30 PID 612 wrote to memory of 2868 612 Ejpipf32.exe 31 PID 612 wrote to memory of 2868 612 Ejpipf32.exe 31 PID 612 wrote to memory of 2868 612 Ejpipf32.exe 31 PID 612 wrote to memory of 2868 612 Ejpipf32.exe 31 PID 2868 wrote to memory of 2724 2868 Eponmmaj.exe 32 PID 2868 wrote to memory of 2724 2868 Eponmmaj.exe 32 PID 2868 wrote to memory of 2724 2868 Eponmmaj.exe 32 PID 2868 wrote to memory of 2724 2868 Eponmmaj.exe 32 PID 2724 wrote to memory of 2648 2724 Fbbcdh32.exe 33 PID 2724 wrote to memory of 2648 2724 Fbbcdh32.exe 33 PID 2724 wrote to memory of 2648 2724 Fbbcdh32.exe 33 PID 2724 wrote to memory of 2648 2724 Fbbcdh32.exe 33 PID 2648 wrote to memory of 1196 2648 Fbdpjgjf.exe 34 PID 2648 wrote to memory of 1196 2648 Fbdpjgjf.exe 34 PID 2648 wrote to memory of 1196 2648 Fbdpjgjf.exe 34 PID 2648 wrote to memory of 1196 2648 Fbdpjgjf.exe 34 PID 1196 wrote to memory of 1700 1196 Fpojlp32.exe 35 PID 1196 wrote to memory of 1700 1196 Fpojlp32.exe 35 PID 1196 wrote to memory of 1700 1196 Fpojlp32.exe 35 PID 1196 wrote to memory of 1700 1196 Fpojlp32.exe 35 PID 1700 wrote to memory of 2632 1700 Fgibijkb.exe 36 PID 1700 wrote to memory of 2632 1700 Fgibijkb.exe 36 PID 1700 wrote to memory of 2632 1700 Fgibijkb.exe 36 PID 1700 wrote to memory of 2632 1700 Fgibijkb.exe 36 PID 2632 wrote to memory of 796 2632 Gpagbp32.exe 37 PID 2632 wrote to memory of 796 2632 Gpagbp32.exe 37 PID 2632 wrote to memory of 796 2632 Gpagbp32.exe 37 PID 2632 wrote to memory of 796 2632 Gpagbp32.exe 37 PID 796 wrote to memory of 1996 796 Gkfkoi32.exe 38 PID 796 wrote to memory of 1996 796 Gkfkoi32.exe 38 PID 796 wrote to memory of 1996 796 Gkfkoi32.exe 38 PID 796 wrote to memory of 1996 796 Gkfkoi32.exe 38 PID 1996 wrote to memory of 1660 1996 Gpccgppq.exe 39 PID 1996 wrote to memory of 1660 1996 Gpccgppq.exe 39 PID 1996 wrote to memory of 1660 1996 Gpccgppq.exe 39 PID 1996 wrote to memory of 1660 1996 Gpccgppq.exe 39 PID 1660 wrote to memory of 1632 1660 Geplpfnh.exe 40 PID 1660 wrote to memory of 1632 1660 Geplpfnh.exe 40 PID 1660 wrote to memory of 1632 1660 Geplpfnh.exe 40 PID 1660 wrote to memory of 1632 1660 Geplpfnh.exe 40 PID 1632 wrote to memory of 1200 1632 Gpfpmonn.exe 41 PID 1632 wrote to memory of 1200 1632 Gpfpmonn.exe 41 PID 1632 wrote to memory of 1200 1632 Gpfpmonn.exe 41 PID 1632 wrote to memory of 1200 1632 Gpfpmonn.exe 41 PID 1200 wrote to memory of 2380 1200 Ginefe32.exe 42 PID 1200 wrote to memory of 2380 1200 Ginefe32.exe 42 PID 1200 wrote to memory of 2380 1200 Ginefe32.exe 42 PID 1200 wrote to memory of 2380 1200 Ginefe32.exe 42 PID 2380 wrote to memory of 2256 2380 Gcfioj32.exe 43 PID 2380 wrote to memory of 2256 2380 Gcfioj32.exe 43 PID 2380 wrote to memory of 2256 2380 Gcfioj32.exe 43 PID 2380 wrote to memory of 2256 2380 Gcfioj32.exe 43 PID 2256 wrote to memory of 2572 2256 Ghcbga32.exe 44 PID 2256 wrote to memory of 2572 2256 Ghcbga32.exe 44 PID 2256 wrote to memory of 2572 2256 Ghcbga32.exe 44 PID 2256 wrote to memory of 2572 2256 Ghcbga32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe"C:\Users\Admin\AppData\Local\Temp\a5adc745a73eeb7e00253e334c59546ef0af4774893d10f2766469090fe16669.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ginefe32.exeC:\Windows\system32\Ginefe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Gomjckqc.exeC:\Windows\system32\Gomjckqc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe33⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe35⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe36⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe38⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Iilalc32.exeC:\Windows\system32\Iilalc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe41⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Jbgbjh32.exeC:\Windows\system32\Jbgbjh32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe43⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe45⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Jpalmaad.exeC:\Windows\system32\Jpalmaad.exe46⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe47⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe52⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe53⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe54⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe58⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe61⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe62⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe63⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe64⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe66⤵PID:940
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe67⤵PID:1752
-
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe68⤵PID:2392
-
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe69⤵PID:1992
-
C:\Windows\SysWOW64\Mhmfgdch.exeC:\Windows\system32\Mhmfgdch.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe71⤵PID:2828
-
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe72⤵PID:2696
-
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe73⤵PID:2596
-
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe74⤵PID:2800
-
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe75⤵PID:2192
-
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe76⤵PID:2316
-
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe77⤵PID:2524
-
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe79⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe80⤵PID:2228
-
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe81⤵PID:2980
-
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe82⤵PID:3000
-
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe83⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe84⤵PID:2160
-
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe85⤵PID:2992
-
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe86⤵PID:592
-
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe87⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe89⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe90⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe91⤵PID:2056
-
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe93⤵PID:2916
-
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe95⤵PID:3012
-
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe96⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe97⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe98⤵PID:2616
-
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe100⤵PID:2104
-
C:\Windows\SysWOW64\Pacbel32.exeC:\Windows\system32\Pacbel32.exe101⤵PID:2604
-
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe102⤵PID:2560
-
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe103⤵PID:2796
-
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe105⤵PID:1316
-
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe106⤵PID:1216
-
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe107⤵PID:2088
-
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe108⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe109⤵PID:1844
-
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe110⤵PID:2248
-
C:\Windows\SysWOW64\Qifnjm32.exeC:\Windows\system32\Qifnjm32.exe111⤵PID:1528
-
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe112⤵PID:996
-
C:\Windows\SysWOW64\Akejdp32.exeC:\Windows\system32\Akejdp32.exe113⤵PID:1848
-
C:\Windows\SysWOW64\Alfflhpa.exeC:\Windows\system32\Alfflhpa.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe115⤵PID:2072
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe116⤵PID:2660
-
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe117⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe118⤵PID:2100
-
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe119⤵PID:588
-
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe120⤵PID:2588
-
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe121⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-