Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe
-
Size
73KB
-
MD5
5dc1fc50381b3e8e41bdf0e0c21178ff
-
SHA1
2185b43a7fffd643ebc2a1f2b18c4edf601689c1
-
SHA256
a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54
-
SHA512
d7acc4ad6c260ee8561b3cfca5a41e0e19bd987ac3ba49ebed0ad836b012002c13a8e7e3a36609d6714b6226d7859a0b81535f98cff68cb819ad43f051e52dc8
-
SSDEEP
1536:jJ1N9oKxbwD3zgNgAxXzQG47APbPfnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnPf:fN9oKxboE7t/47DAhIUAM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokkag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnfof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalcdngp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoeflamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheeqgmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghjkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbbiafj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epegae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqjeiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiqjiojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphbom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgboe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfdmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omddohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfglcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecejnco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfeamimh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimeje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gndpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkhhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchfff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Decmnhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Decmnhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndofjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opmpenbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moedbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phghedga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glimdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ionlpdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpflmbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjqlid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhagodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegecopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggaeae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oieencik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngllkbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edbjljpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpfbhof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndpcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfigmhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcggjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omddohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkhnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glddig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpgqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfcai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkepl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncdfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjocaaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koafcppm.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Gnfajgbg.exe 2100 Gkjbcl32.exe 2648 Gebflaga.exe 2736 Hgconl32.exe 2700 Hfiloiik.exe 2780 Hpaaho32.exe 2572 Hnfnik32.exe 2180 Hepffelp.exe 2936 Hhaogp32.exe 2436 Ilohnopg.exe 1788 Ihehbpel.exe 564 Imenpfap.exe 2840 Iljjabfh.exe 1864 Jebojh32.exe 2320 Jlodma32.exe 1320 Jhedachg.exe 1752 Jeiekgfq.exe 832 Jdoblckh.exe 980 Kkkgnmqb.exe 1724 Kdckgc32.exe 932 Knlpphnd.exe 612 Knnmeh32.exe 2284 Kgfannba.exe 2412 Koafcppm.exe 2624 Lodbhp32.exe 2948 Lnipilbb.exe 1716 Ljbmdmfc.exe 2232 Lmcfeh32.exe 1092 Mpflmbnc.exe 2972 Mfpdim32.exe 2868 Mkmlbc32.exe 2704 Mgfjld32.exe 2544 Nbknjm32.exe 3044 Nhhfbd32.exe 2920 Nbnkomel.exe 2512 Njiocobg.exe 1212 Nagakhfn.exe 2852 Olfkge32.exe 2876 Okkhhb32.exe 1760 Obbpio32.exe 2984 Pokndp32.exe 1012 Ppmjkhma.exe 2344 Pgfbhb32.exe 112 Palgek32.exe 924 Pkdknq32.exe 1216 Pdmpgfae.exe 1976 Pgklcaqi.exe 1520 Plhdkhoq.exe 2368 Pcbmhb32.exe 2236 Qljaah32.exe 2096 Qecejnco.exe 1028 Qokjcc32.exe 2748 Adhbkj32.exe 2804 Akbkhd32.exe 2796 Aalcdngp.exe 548 Agikmeeg.exe 1252 Aqapek32.exe 2908 Ajidnp32.exe 2828 Aqcmkjje.exe 584 Agmehd32.exe 2896 Amjmpk32.exe 1860 Acdemegf.exe 2164 Afbbiafj.exe 2024 Anjjjn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe 2468 a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe 2032 Gnfajgbg.exe 2032 Gnfajgbg.exe 2100 Gkjbcl32.exe 2100 Gkjbcl32.exe 2648 Gebflaga.exe 2648 Gebflaga.exe 2736 Hgconl32.exe 2736 Hgconl32.exe 2700 Hfiloiik.exe 2700 Hfiloiik.exe 2780 Hpaaho32.exe 2780 Hpaaho32.exe 2572 Hnfnik32.exe 2572 Hnfnik32.exe 2180 Hepffelp.exe 2180 Hepffelp.exe 2936 Hhaogp32.exe 2936 Hhaogp32.exe 2436 Ilohnopg.exe 2436 Ilohnopg.exe 1788 Ihehbpel.exe 1788 Ihehbpel.exe 564 Imenpfap.exe 564 Imenpfap.exe 2840 Iljjabfh.exe 2840 Iljjabfh.exe 1864 Jebojh32.exe 1864 Jebojh32.exe 2320 Jlodma32.exe 2320 Jlodma32.exe 1320 Jhedachg.exe 1320 Jhedachg.exe 1752 Jeiekgfq.exe 1752 Jeiekgfq.exe 832 Jdoblckh.exe 832 Jdoblckh.exe 980 Kkkgnmqb.exe 980 Kkkgnmqb.exe 1724 Kdckgc32.exe 1724 Kdckgc32.exe 932 Knlpphnd.exe 932 Knlpphnd.exe 612 Knnmeh32.exe 612 Knnmeh32.exe 2284 Kgfannba.exe 2284 Kgfannba.exe 2412 Koafcppm.exe 2412 Koafcppm.exe 2624 Lodbhp32.exe 2624 Lodbhp32.exe 2948 Lnipilbb.exe 2948 Lnipilbb.exe 1716 Ljbmdmfc.exe 1716 Ljbmdmfc.exe 2232 Lmcfeh32.exe 2232 Lmcfeh32.exe 1092 Mpflmbnc.exe 1092 Mpflmbnc.exe 2972 Mfpdim32.exe 2972 Mfpdim32.exe 2868 Mkmlbc32.exe 2868 Mkmlbc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qecejnco.exe Qljaah32.exe File created C:\Windows\SysWOW64\Bickkl32.exe Bfeonq32.exe File opened for modification C:\Windows\SysWOW64\Cbpncn32.exe Ckciqdol.exe File created C:\Windows\SysWOW64\Opmpenbj.exe Ogbkakeo.exe File created C:\Windows\SysWOW64\Iflcdpoe.dll Flgdod32.exe File opened for modification C:\Windows\SysWOW64\Palgek32.exe Pgfbhb32.exe File created C:\Windows\SysWOW64\Camlpldf.exe Cfggccdp.exe File created C:\Windows\SysWOW64\Dpfblh32.exe Deanooeb.exe File created C:\Windows\SysWOW64\Fdocoipp.dll Ggaeae32.exe File created C:\Windows\SysWOW64\Oifibb32.dll Kggcgf32.exe File created C:\Windows\SysWOW64\Jopfmg32.dll Nmlgcbei.exe File created C:\Windows\SysWOW64\Ncjgao32.exe Mgcflnfp.exe File opened for modification C:\Windows\SysWOW64\Colhlcig.exe Cfddcn32.exe File created C:\Windows\SysWOW64\Aenaeg32.dll Fhikiefk.exe File created C:\Windows\SysWOW64\Ollkge32.dll Fgkbac32.exe File created C:\Windows\SysWOW64\Ghlhpiia.exe Gngdcpjl.exe File opened for modification C:\Windows\SysWOW64\Mhobnqlg.exe Mqcnjnol.exe File created C:\Windows\SysWOW64\Nndppk32.dll Pfiafk32.exe File created C:\Windows\SysWOW64\Akilij32.dll Plhdkhoq.exe File opened for modification C:\Windows\SysWOW64\Hiohob32.exe Hgnkgjgh.exe File opened for modification C:\Windows\SysWOW64\Bclnfm32.exe Bjcimhab.exe File opened for modification C:\Windows\SysWOW64\Hnfnik32.exe Hpaaho32.exe File opened for modification C:\Windows\SysWOW64\Ilohnopg.exe Hhaogp32.exe File created C:\Windows\SysWOW64\Gcomea32.dll Lfhgng32.exe File created C:\Windows\SysWOW64\Nonlon32.dll Bdekjg32.exe File created C:\Windows\SysWOW64\Mqcnjnol.exe Mgkiaihl.exe File created C:\Windows\SysWOW64\Cpbfggdo.dll Mfpdim32.exe File created C:\Windows\SysWOW64\Anjjjn32.exe Afbbiafj.exe File created C:\Windows\SysWOW64\Lggmbo32.dll Gcpfbhof.exe File opened for modification C:\Windows\SysWOW64\Dalaeicf.exe Dffmgqcp.exe File created C:\Windows\SysWOW64\Jmjidneo.exe Imgmonga.exe File created C:\Windows\SysWOW64\Dpaggdbo.dll Pdmpgfae.exe File created C:\Windows\SysWOW64\Emmljodk.exe Emjoep32.exe File created C:\Windows\SysWOW64\Kabnce32.dll Pfgeaklb.exe File opened for modification C:\Windows\SysWOW64\Alpmep32.exe Abghlk32.exe File opened for modification C:\Windows\SysWOW64\Bkdclgpl.exe Bciohe32.exe File opened for modification C:\Windows\SysWOW64\Lpdhea32.exe Ldngqqjh.exe File created C:\Windows\SysWOW64\Ijndni32.dll Fcdpld32.exe File created C:\Windows\SysWOW64\Limobelk.dll Hgconl32.exe File created C:\Windows\SysWOW64\Cjgmoahd.exe Caohfl32.exe File created C:\Windows\SysWOW64\Jifjod32.exe Jdibfn32.exe File created C:\Windows\SysWOW64\Dbbkhnbc.exe Cbpncn32.exe File created C:\Windows\SysWOW64\Dalaeicf.exe Dffmgqcp.exe File created C:\Windows\SysWOW64\Glimdgmj.exe Gndpcj32.exe File opened for modification C:\Windows\SysWOW64\Mkmlbc32.exe Mfpdim32.exe File created C:\Windows\SysWOW64\Nimeje32.exe Nikide32.exe File created C:\Windows\SysWOW64\Glncip32.dll Gndpcj32.exe File created C:\Windows\SysWOW64\Kkjadc32.dll Oflbmg32.exe File created C:\Windows\SysWOW64\Jiojjk32.dll a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe File opened for modification C:\Windows\SysWOW64\Knlpphnd.exe Kdckgc32.exe File opened for modification C:\Windows\SysWOW64\Lmcfeh32.exe Ljbmdmfc.exe File opened for modification C:\Windows\SysWOW64\Fphgpnhm.exe Fklohgie.exe File opened for modification C:\Windows\SysWOW64\Lnkedemc.exe Llkijb32.exe File created C:\Windows\SysWOW64\Kphbom32.exe Kacenp32.exe File opened for modification C:\Windows\SysWOW64\Mgkiaihl.exe Mjgihdib.exe File created C:\Windows\SysWOW64\Lkoahopa.dll Cgicko32.exe File opened for modification C:\Windows\SysWOW64\Hepffelp.exe Hnfnik32.exe File created C:\Windows\SysWOW64\Maaakd32.dll Mpodoo32.exe File created C:\Windows\SysWOW64\Fjclbfdd.dll Mhaodqje.exe File opened for modification C:\Windows\SysWOW64\Qechbf32.exe Qmhcnd32.exe File opened for modification C:\Windows\SysWOW64\Faapbk32.exe Fhikiefk.exe File opened for modification C:\Windows\SysWOW64\Ibjkfpih.exe Ijofbnlm.exe File opened for modification C:\Windows\SysWOW64\Gkjbcl32.exe Gnfajgbg.exe File created C:\Windows\SysWOW64\Jebojh32.exe Iljjabfh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4324 4308 WerFault.exe 387 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgfpbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhikiefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijofbnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfajgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkibbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anebhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjidneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbkakeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpgfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlblmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdlqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjgao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffmgqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdockgqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhejldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjlcgnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqapek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjldbiig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbakgjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgicko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgmdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glimdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikgkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbkhnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdghpggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhaodqje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glddig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deanooeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippflkok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlodma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdcpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkhihdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggaeae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgcflnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohleappp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaqhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfannba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcfeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqocej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpncdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokfaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alifee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebojbaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfgjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbeoggic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bijakkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfeamimh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knabngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndofjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gickgl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpaaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfddcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgagdp32.dll" Kdfjekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlpmddp.dll" Mjgihdib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgkiaihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdclgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpojmn32.dll" Lgcjmkcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqncfh32.dll" Mclghl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckciqdol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnennln.dll" Jifmgman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlfpf32.dll" Koafcppm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bngicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfggccdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcipnga.dll" Hmhgjahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iekbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkhagodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegecopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpkedbka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Minika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgellb32.dll" Plnkkccp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmpgfae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipipllec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Appikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eheeqgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfbjlgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdofclgd.dll" Cgbmkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didbifoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amjmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifjod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ionlpdha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iemoebmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpncdfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggbclj32.dll" Mqcnjnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcinmkpj.dll" Ioqhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppmjkhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkoip32.dll" Eaaajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaalkcih.dll" Kimpocda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjolpb32.dll" Lcbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akdjfmed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbbiafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmcjlgi.dll" Ilbnfmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcehkj32.dll" Pkhagodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnjlcgnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljjabfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdcnhdo.dll" Dpfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkfigqjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlodma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akbkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camlpldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlapid32.dll" Dajkjphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feofpqkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfhhicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjocd32.dll" Bnjlcgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alodkfoh.dll" Pmcjceam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkkah32.dll" Anebhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jafnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebflaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnipilbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2032 2468 a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe 29 PID 2468 wrote to memory of 2032 2468 a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe 29 PID 2468 wrote to memory of 2032 2468 a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe 29 PID 2468 wrote to memory of 2032 2468 a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe 29 PID 2032 wrote to memory of 2100 2032 Gnfajgbg.exe 30 PID 2032 wrote to memory of 2100 2032 Gnfajgbg.exe 30 PID 2032 wrote to memory of 2100 2032 Gnfajgbg.exe 30 PID 2032 wrote to memory of 2100 2032 Gnfajgbg.exe 30 PID 2100 wrote to memory of 2648 2100 Gkjbcl32.exe 31 PID 2100 wrote to memory of 2648 2100 Gkjbcl32.exe 31 PID 2100 wrote to memory of 2648 2100 Gkjbcl32.exe 31 PID 2100 wrote to memory of 2648 2100 Gkjbcl32.exe 31 PID 2648 wrote to memory of 2736 2648 Gebflaga.exe 32 PID 2648 wrote to memory of 2736 2648 Gebflaga.exe 32 PID 2648 wrote to memory of 2736 2648 Gebflaga.exe 32 PID 2648 wrote to memory of 2736 2648 Gebflaga.exe 32 PID 2736 wrote to memory of 2700 2736 Hgconl32.exe 33 PID 2736 wrote to memory of 2700 2736 Hgconl32.exe 33 PID 2736 wrote to memory of 2700 2736 Hgconl32.exe 33 PID 2736 wrote to memory of 2700 2736 Hgconl32.exe 33 PID 2700 wrote to memory of 2780 2700 Hfiloiik.exe 34 PID 2700 wrote to memory of 2780 2700 Hfiloiik.exe 34 PID 2700 wrote to memory of 2780 2700 Hfiloiik.exe 34 PID 2700 wrote to memory of 2780 2700 Hfiloiik.exe 34 PID 2780 wrote to memory of 2572 2780 Hpaaho32.exe 35 PID 2780 wrote to memory of 2572 2780 Hpaaho32.exe 35 PID 2780 wrote to memory of 2572 2780 Hpaaho32.exe 35 PID 2780 wrote to memory of 2572 2780 Hpaaho32.exe 35 PID 2572 wrote to memory of 2180 2572 Hnfnik32.exe 36 PID 2572 wrote to memory of 2180 2572 Hnfnik32.exe 36 PID 2572 wrote to memory of 2180 2572 Hnfnik32.exe 36 PID 2572 wrote to memory of 2180 2572 Hnfnik32.exe 36 PID 2180 wrote to memory of 2936 2180 Hepffelp.exe 37 PID 2180 wrote to memory of 2936 2180 Hepffelp.exe 37 PID 2180 wrote to memory of 2936 2180 Hepffelp.exe 37 PID 2180 wrote to memory of 2936 2180 Hepffelp.exe 37 PID 2936 wrote to memory of 2436 2936 Hhaogp32.exe 38 PID 2936 wrote to memory of 2436 2936 Hhaogp32.exe 38 PID 2936 wrote to memory of 2436 2936 Hhaogp32.exe 38 PID 2936 wrote to memory of 2436 2936 Hhaogp32.exe 38 PID 2436 wrote to memory of 1788 2436 Ilohnopg.exe 39 PID 2436 wrote to memory of 1788 2436 Ilohnopg.exe 39 PID 2436 wrote to memory of 1788 2436 Ilohnopg.exe 39 PID 2436 wrote to memory of 1788 2436 Ilohnopg.exe 39 PID 1788 wrote to memory of 564 1788 Ihehbpel.exe 40 PID 1788 wrote to memory of 564 1788 Ihehbpel.exe 40 PID 1788 wrote to memory of 564 1788 Ihehbpel.exe 40 PID 1788 wrote to memory of 564 1788 Ihehbpel.exe 40 PID 564 wrote to memory of 2840 564 Imenpfap.exe 41 PID 564 wrote to memory of 2840 564 Imenpfap.exe 41 PID 564 wrote to memory of 2840 564 Imenpfap.exe 41 PID 564 wrote to memory of 2840 564 Imenpfap.exe 41 PID 2840 wrote to memory of 1864 2840 Iljjabfh.exe 42 PID 2840 wrote to memory of 1864 2840 Iljjabfh.exe 42 PID 2840 wrote to memory of 1864 2840 Iljjabfh.exe 42 PID 2840 wrote to memory of 1864 2840 Iljjabfh.exe 42 PID 1864 wrote to memory of 2320 1864 Jebojh32.exe 43 PID 1864 wrote to memory of 2320 1864 Jebojh32.exe 43 PID 1864 wrote to memory of 2320 1864 Jebojh32.exe 43 PID 1864 wrote to memory of 2320 1864 Jebojh32.exe 43 PID 2320 wrote to memory of 1320 2320 Jlodma32.exe 44 PID 2320 wrote to memory of 1320 2320 Jlodma32.exe 44 PID 2320 wrote to memory of 1320 2320 Jlodma32.exe 44 PID 2320 wrote to memory of 1320 2320 Jlodma32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe"C:\Users\Admin\AppData\Local\Temp\a7e7047634ece295e6ec9aafad001df697dd2b8ec9bcb3eeecc3aaede4e5ff54.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Gnfajgbg.exeC:\Windows\system32\Gnfajgbg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Gkjbcl32.exeC:\Windows\system32\Gkjbcl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Gebflaga.exeC:\Windows\system32\Gebflaga.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hgconl32.exeC:\Windows\system32\Hgconl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Hfiloiik.exeC:\Windows\system32\Hfiloiik.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hpaaho32.exeC:\Windows\system32\Hpaaho32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hnfnik32.exeC:\Windows\system32\Hnfnik32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Hepffelp.exeC:\Windows\system32\Hepffelp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Hhaogp32.exeC:\Windows\system32\Hhaogp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ilohnopg.exeC:\Windows\system32\Ilohnopg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Ihehbpel.exeC:\Windows\system32\Ihehbpel.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Imenpfap.exeC:\Windows\system32\Imenpfap.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Iljjabfh.exeC:\Windows\system32\Iljjabfh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Jebojh32.exeC:\Windows\system32\Jebojh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Jlodma32.exeC:\Windows\system32\Jlodma32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Jhedachg.exeC:\Windows\system32\Jhedachg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Jeiekgfq.exeC:\Windows\system32\Jeiekgfq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Jdoblckh.exeC:\Windows\system32\Jdoblckh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Kkkgnmqb.exeC:\Windows\system32\Kkkgnmqb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Kdckgc32.exeC:\Windows\system32\Kdckgc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Knlpphnd.exeC:\Windows\system32\Knlpphnd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Knnmeh32.exeC:\Windows\system32\Knnmeh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Kgfannba.exeC:\Windows\system32\Kgfannba.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Koafcppm.exeC:\Windows\system32\Koafcppm.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Lodbhp32.exeC:\Windows\system32\Lodbhp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Lnipilbb.exeC:\Windows\system32\Lnipilbb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Ljbmdmfc.exeC:\Windows\system32\Ljbmdmfc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Lmcfeh32.exeC:\Windows\system32\Lmcfeh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Mpflmbnc.exeC:\Windows\system32\Mpflmbnc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Mfpdim32.exeC:\Windows\system32\Mfpdim32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Mkmlbc32.exeC:\Windows\system32\Mkmlbc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Mgfjld32.exeC:\Windows\system32\Mgfjld32.exe33⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nbknjm32.exeC:\Windows\system32\Nbknjm32.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Nhhfbd32.exeC:\Windows\system32\Nhhfbd32.exe35⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nbnkomel.exeC:\Windows\system32\Nbnkomel.exe36⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Njiocobg.exeC:\Windows\system32\Njiocobg.exe37⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nagakhfn.exeC:\Windows\system32\Nagakhfn.exe38⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Olfkge32.exeC:\Windows\system32\Olfkge32.exe39⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Obbpio32.exeC:\Windows\system32\Obbpio32.exe41⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Pokndp32.exeC:\Windows\system32\Pokndp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ppmjkhma.exeC:\Windows\system32\Ppmjkhma.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Pgfbhb32.exeC:\Windows\system32\Pgfbhb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Palgek32.exeC:\Windows\system32\Palgek32.exe45⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Pkdknq32.exeC:\Windows\system32\Pkdknq32.exe46⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Pgklcaqi.exeC:\Windows\system32\Pgklcaqi.exe48⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Plhdkhoq.exeC:\Windows\system32\Plhdkhoq.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe50⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Qljaah32.exeC:\Windows\system32\Qljaah32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Qecejnco.exeC:\Windows\system32\Qecejnco.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Qokjcc32.exeC:\Windows\system32\Qokjcc32.exe53⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Akbkhd32.exeC:\Windows\system32\Akbkhd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Aalcdngp.exeC:\Windows\system32\Aalcdngp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe57⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Aqapek32.exeC:\Windows\system32\Aqapek32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Ajidnp32.exeC:\Windows\system32\Ajidnp32.exe59⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe60⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Amjmpk32.exeC:\Windows\system32\Amjmpk32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe63⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Afbbiafj.exeC:\Windows\system32\Afbbiafj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Bokfaflj.exeC:\Windows\system32\Bokfaflj.exe66⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Bfeonq32.exeC:\Windows\system32\Bfeonq32.exe67⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Bickkl32.exeC:\Windows\system32\Bickkl32.exe68⤵PID:2396
-
C:\Windows\SysWOW64\Bciohe32.exeC:\Windows\system32\Bciohe32.exe69⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Bkdclgpl.exeC:\Windows\system32\Bkdclgpl.exe70⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Boblbe32.exeC:\Windows\system32\Boblbe32.exe71⤵PID:1588
-
C:\Windows\SysWOW64\Bijakkmc.exeC:\Windows\system32\Bijakkmc.exe72⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Bngicb32.exeC:\Windows\system32\Bngicb32.exe73⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Bimnqk32.exeC:\Windows\system32\Bimnqk32.exe74⤵PID:2776
-
C:\Windows\SysWOW64\Cjnjhcqo.exeC:\Windows\system32\Cjnjhcqo.exe75⤵PID:2124
-
C:\Windows\SysWOW64\Cahbem32.exeC:\Windows\system32\Cahbem32.exe76⤵PID:696
-
C:\Windows\SysWOW64\Cmocjn32.exeC:\Windows\system32\Cmocjn32.exe77⤵PID:1992
-
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe78⤵PID:1392
-
C:\Windows\SysWOW64\Cfggccdp.exeC:\Windows\system32\Cfggccdp.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Camlpldf.exeC:\Windows\system32\Camlpldf.exe80⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Cihqdoaa.exeC:\Windows\system32\Cihqdoaa.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Caohfl32.exeC:\Windows\system32\Caohfl32.exe83⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Cjgmoahd.exeC:\Windows\system32\Cjgmoahd.exe84⤵PID:1676
-
C:\Windows\SysWOW64\Clhifj32.exeC:\Windows\system32\Clhifj32.exe85⤵PID:396
-
C:\Windows\SysWOW64\Deanooeb.exeC:\Windows\system32\Deanooeb.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Dpfblh32.exeC:\Windows\system32\Dpfblh32.exe87⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Deckeo32.exeC:\Windows\system32\Deckeo32.exe88⤵PID:1616
-
C:\Windows\SysWOW64\Dlmcaijm.exeC:\Windows\system32\Dlmcaijm.exe89⤵PID:3064
-
C:\Windows\SysWOW64\Dajkjphd.exeC:\Windows\system32\Dajkjphd.exe90⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Donlcdgn.exeC:\Windows\system32\Donlcdgn.exe91⤵PID:2112
-
C:\Windows\SysWOW64\Dehdpnok.exeC:\Windows\system32\Dehdpnok.exe92⤵PID:2816
-
C:\Windows\SysWOW64\Dlblmh32.exeC:\Windows\system32\Dlblmh32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Dmcidqlf.exeC:\Windows\system32\Dmcidqlf.exe94⤵PID:956
-
C:\Windows\SysWOW64\Dejqenmh.exeC:\Windows\system32\Dejqenmh.exe95⤵PID:2784
-
C:\Windows\SysWOW64\Ekgineko.exeC:\Windows\system32\Ekgineko.exe96⤵PID:2724
-
C:\Windows\SysWOW64\Eaaajo32.exeC:\Windows\system32\Eaaajo32.exe97⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Ehkjgi32.exeC:\Windows\system32\Ehkjgi32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Eilfoapg.exeC:\Windows\system32\Eilfoapg.exe99⤵PID:2864
-
C:\Windows\SysWOW64\Eacnpoqi.exeC:\Windows\system32\Eacnpoqi.exe100⤵PID:1764
-
C:\Windows\SysWOW64\Edbjljpm.exeC:\Windows\system32\Edbjljpm.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2464 -
C:\Windows\SysWOW64\Eklbid32.exeC:\Windows\system32\Eklbid32.exe102⤵PID:2472
-
C:\Windows\SysWOW64\Emjoep32.exeC:\Windows\system32\Emjoep32.exe103⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Emmljodk.exeC:\Windows\system32\Emmljodk.exe104⤵PID:2760
-
C:\Windows\SysWOW64\Egepce32.exeC:\Windows\system32\Egepce32.exe105⤵PID:2568
-
C:\Windows\SysWOW64\Eaoadb32.exeC:\Windows\system32\Eaoadb32.exe106⤵PID:2196
-
C:\Windows\SysWOW64\Fldeakgp.exeC:\Windows\system32\Fldeakgp.exe107⤵PID:2020
-
C:\Windows\SysWOW64\Fobamgfd.exeC:\Windows\system32\Fobamgfd.exe108⤵PID:1312
-
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Feofpqkn.exeC:\Windows\system32\Feofpqkn.exe110⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Fklohgie.exeC:\Windows\system32\Fklohgie.exe111⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Fphgpnhm.exeC:\Windows\system32\Fphgpnhm.exe112⤵PID:1516
-
C:\Windows\SysWOW64\Fjqlid32.exeC:\Windows\system32\Fjqlid32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Fgelbhmg.exeC:\Windows\system32\Fgelbhmg.exe114⤵PID:936
-
C:\Windows\SysWOW64\Glaejokn.exeC:\Windows\system32\Glaejokn.exe115⤵PID:2752
-
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Gjeedcjh.exeC:\Windows\system32\Gjeedcjh.exe117⤵PID:3016
-
C:\Windows\SysWOW64\Gcnjmi32.exeC:\Windows\system32\Gcnjmi32.exe118⤵PID:1504
-
C:\Windows\SysWOW64\Gjhbic32.exeC:\Windows\system32\Gjhbic32.exe119⤵PID:1624
-
C:\Windows\SysWOW64\Gqajfmpb.exeC:\Windows\system32\Gqajfmpb.exe120⤵PID:2044
-
C:\Windows\SysWOW64\Gcpfbhof.exeC:\Windows\system32\Gcpfbhof.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-