Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe
-
Size
59KB
-
MD5
fc419c26d104cd8a0b862d83bdf54cf0
-
SHA1
966f9efba96c81c94476223a3bc74db6e814c80a
-
SHA256
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60
-
SHA512
bb7ecfa5da8b4e6abb06cc9add75e5ad9a3858c0815f8e212d2d421024e01abcca383bd78e242eef005d444555c80f5277da485f1492255c50b6061f55734420
-
SSDEEP
1536:YohELnh5duVoW1wjGsjuuuZq45Vrcy2LtO:DELnfdUPKjGsjuuuZq43retO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpmpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inafbooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgmijgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokgpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgopf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnlbcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhikme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihobnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogekpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcccpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkljdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meoell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkpedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjlgfaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcdbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkjbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpiij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahhgnkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcmbgkj.exe -
Executes dropped EXE 64 IoCs
pid Process 2724 Emkkdf32.exe 2444 Ebgclm32.exe 2772 Edfpih32.exe 2576 Fokdfajl.exe 2636 Fidhof32.exe 636 Fkbdkb32.exe 1792 Fblmglgm.exe 2432 Fqomci32.exe 2820 Fgiepced.exe 2012 Fjgalndh.exe 1980 Fmfnhj32.exe 2912 Femeig32.exe 1964 Fjjnan32.exe 2556 Fqcfnhjb.exe 2252 Fcbbjcif.exe 2240 Ffqofohj.exe 1508 Fafcdh32.exe 2092 Fcdopc32.exe 1672 Ffcllo32.exe 2044 Giahhj32.exe 1292 Gpkpedmh.exe 2416 Gbjlaplk.exe 960 Gehhmkko.exe 1920 Glbqje32.exe 1900 Gfgegnbb.exe 2848 Gejebk32.exe 2580 Gldmoepi.exe 2728 Gppipc32.exe 2584 Gihniioc.exe 2616 Ghkndf32.exe 532 Ghmkjedk.exe 1424 Gjlgfaco.exe 2612 Heakcjcd.exe 2156 Hfbhkb32.exe 2644 Hmmphlpp.exe 2876 Hdfhdfgl.exe 2812 Hhbdee32.exe 1740 Hjqqap32.exe 2188 Hicqmmfc.exe 2248 Hajinjff.exe 2352 Hfgafadm.exe 2032 Hjcmgp32.exe 2420 Hmaick32.exe 1276 Hldjnhce.exe 1592 Hdkape32.exe 912 Hihjhl32.exe 1604 Hlffdh32.exe 1928 Hpbbdfik.exe 2852 Hbqoqbho.exe 1524 Hflkaq32.exe 2600 Hijgml32.exe 2604 Ihmgiiff.exe 2068 Ilicig32.exe 336 Ipdojfgh.exe 1732 Iogoec32.exe 2296 Ibckfa32.exe 852 Iaelanmg.exe 1760 Ieagbm32.exe 2768 Iimcclni.exe 2960 Ihpdoh32.exe 2228 Ilkpogmm.exe 2308 Iknpkd32.exe 1484 Ioilkblq.exe 2500 Ibehla32.exe -
Loads dropped DLL 64 IoCs
pid Process 1032 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 1032 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 2724 Emkkdf32.exe 2724 Emkkdf32.exe 2444 Ebgclm32.exe 2444 Ebgclm32.exe 2772 Edfpih32.exe 2772 Edfpih32.exe 2576 Fokdfajl.exe 2576 Fokdfajl.exe 2636 Fidhof32.exe 2636 Fidhof32.exe 636 Fkbdkb32.exe 636 Fkbdkb32.exe 1792 Fblmglgm.exe 1792 Fblmglgm.exe 2432 Fqomci32.exe 2432 Fqomci32.exe 2820 Fgiepced.exe 2820 Fgiepced.exe 2012 Fjgalndh.exe 2012 Fjgalndh.exe 1980 Fmfnhj32.exe 1980 Fmfnhj32.exe 2912 Femeig32.exe 2912 Femeig32.exe 1964 Fjjnan32.exe 1964 Fjjnan32.exe 2556 Fqcfnhjb.exe 2556 Fqcfnhjb.exe 2252 Fcbbjcif.exe 2252 Fcbbjcif.exe 2240 Ffqofohj.exe 2240 Ffqofohj.exe 1508 Fafcdh32.exe 1508 Fafcdh32.exe 2092 Fcdopc32.exe 2092 Fcdopc32.exe 1672 Ffcllo32.exe 1672 Ffcllo32.exe 2044 Giahhj32.exe 2044 Giahhj32.exe 1292 Gpkpedmh.exe 1292 Gpkpedmh.exe 2416 Gbjlaplk.exe 2416 Gbjlaplk.exe 960 Gehhmkko.exe 960 Gehhmkko.exe 1920 Glbqje32.exe 1920 Glbqje32.exe 1900 Gfgegnbb.exe 1900 Gfgegnbb.exe 2848 Gejebk32.exe 2848 Gejebk32.exe 2580 Gldmoepi.exe 2580 Gldmoepi.exe 2728 Gppipc32.exe 2728 Gppipc32.exe 2584 Gihniioc.exe 2584 Gihniioc.exe 2616 Ghkndf32.exe 2616 Ghkndf32.exe 532 Ghmkjedk.exe 532 Ghmkjedk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljldnhid.exe Process not Found File created C:\Windows\SysWOW64\Iclbpj32.exe Process not Found File created C:\Windows\SysWOW64\Hfgafadm.exe Hajinjff.exe File opened for modification C:\Windows\SysWOW64\Afjjed32.exe Aopahjll.exe File created C:\Windows\SysWOW64\Paiaplin.exe Pojecajj.exe File created C:\Windows\SysWOW64\Ncnngfna.exe Napbjjom.exe File created C:\Windows\SysWOW64\Hiablm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Obbdml32.exe Process not Found File created C:\Windows\SysWOW64\Qknjgb32.dll Gjlgfaco.exe File opened for modification C:\Windows\SysWOW64\Knnkpobc.exe Kllnhg32.exe File created C:\Windows\SysWOW64\Iddklgpc.dll Bfqpecma.exe File created C:\Windows\SysWOW64\Fejhndnn.dll Bofgii32.exe File created C:\Windows\SysWOW64\Mqjefamk.exe Process not Found File created C:\Windows\SysWOW64\Leopgo32.exe Lflplbpi.exe File created C:\Windows\SysWOW64\Hphidanj.exe Hllmcc32.exe File opened for modification C:\Windows\SysWOW64\Idadnd32.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Dcfpel32.exe Dpgcip32.exe File created C:\Windows\SysWOW64\Lfffifgk.dll Process not Found File created C:\Windows\SysWOW64\Lhfnkqgk.exe Process not Found File created C:\Windows\SysWOW64\Mkehop32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dbncjf32.exe Djgkii32.exe File created C:\Windows\SysWOW64\Fgpomb32.dll Dddimn32.exe File created C:\Windows\SysWOW64\Fhljkm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Imjkpb32.exe Process not Found File created C:\Windows\SysWOW64\Cggioi32.dll Process not Found File created C:\Windows\SysWOW64\Kfodfh32.exe Process not Found File created C:\Windows\SysWOW64\Ilppdi32.dll Iajemnia.exe File created C:\Windows\SysWOW64\Jkbojpna.exe Jgfcja32.exe File created C:\Windows\SysWOW64\Dklddhka.exe Dhmhhmlm.exe File opened for modification C:\Windows\SysWOW64\Fhikme32.exe Ffkoai32.exe File opened for modification C:\Windows\SysWOW64\Lfkeokjp.exe Lboiol32.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mbhlek32.exe File created C:\Windows\SysWOW64\Glchpp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Onnnml32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gejebk32.exe Gfgegnbb.exe File created C:\Windows\SysWOW64\Lmlhjg32.dll Qinjgbpg.exe File created C:\Windows\SysWOW64\Bodklh32.dll Bleeioil.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hbkqdepm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jmnqje32.exe Process not Found File created C:\Windows\SysWOW64\Plpopddd.exe Process not Found File created C:\Windows\SysWOW64\Kklikejc.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Afajafoa.exe Accnekon.exe File created C:\Windows\SysWOW64\Bnapob32.dll Aekqmbod.exe File created C:\Windows\SysWOW64\Fijjok32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ofoabofe.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npaich32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Jimbkh32.exe Jbcjnnpl.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jbefcm32.exe File created C:\Windows\SysWOW64\Onfoin32.exe Nfoghakb.exe File created C:\Windows\SysWOW64\Kkileele.exe Kqdhhm32.exe File opened for modification C:\Windows\SysWOW64\Pgnjde32.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Kncinl32.dll Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Flocfmnl.exe Process not Found File created C:\Windows\SysWOW64\Jeadap32.exe Jpdkii32.exe File created C:\Windows\SysWOW64\Hpiocebf.dll Anneqafn.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Eggndi32.exe File created C:\Windows\SysWOW64\Ejecol32.dll Hdoghdmd.exe File opened for modification C:\Windows\SysWOW64\Jpogbgmi.exe Jnpkflne.exe File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Igebkiof.exe Process not Found File created C:\Windows\SysWOW64\Gfkkpmko.exe Gcmoda32.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Nefdpjkl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4112 5180 Process not Found 1643 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idadnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdfnehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poklngnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhlbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchmkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qngopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaebkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egahen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibfajdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlddkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhiholof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioooiack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkihdioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leammn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinklffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miehak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpiedieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckolek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgmbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioliqbjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpkflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecfeg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglabp32.dll" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikgge32.dll" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnhnji.dll" Bnnaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdii32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibagdh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgela32.dll" Nemhhpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgccq32.dll" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnpjhai.dll" Kkgopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capocbbb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkbmo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fokdfajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelnlcjj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Makjho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loeccoai.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkgo32.dll" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjmnknl.dll" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqimphik.dll" Hifpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omklkkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbhmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfcja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcale32.dll" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daipqhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcldhnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkpdn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgilkf32.dll" Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbldf32.dll" Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcdhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdgpabaa.dll" Odbeilbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhohnoea.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogalkad.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fafcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjekfd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2724 1032 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 30 PID 1032 wrote to memory of 2724 1032 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 30 PID 1032 wrote to memory of 2724 1032 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 30 PID 1032 wrote to memory of 2724 1032 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 30 PID 2724 wrote to memory of 2444 2724 Emkkdf32.exe 31 PID 2724 wrote to memory of 2444 2724 Emkkdf32.exe 31 PID 2724 wrote to memory of 2444 2724 Emkkdf32.exe 31 PID 2724 wrote to memory of 2444 2724 Emkkdf32.exe 31 PID 2444 wrote to memory of 2772 2444 Ebgclm32.exe 32 PID 2444 wrote to memory of 2772 2444 Ebgclm32.exe 32 PID 2444 wrote to memory of 2772 2444 Ebgclm32.exe 32 PID 2444 wrote to memory of 2772 2444 Ebgclm32.exe 32 PID 2772 wrote to memory of 2576 2772 Edfpih32.exe 33 PID 2772 wrote to memory of 2576 2772 Edfpih32.exe 33 PID 2772 wrote to memory of 2576 2772 Edfpih32.exe 33 PID 2772 wrote to memory of 2576 2772 Edfpih32.exe 33 PID 2576 wrote to memory of 2636 2576 Fokdfajl.exe 34 PID 2576 wrote to memory of 2636 2576 Fokdfajl.exe 34 PID 2576 wrote to memory of 2636 2576 Fokdfajl.exe 34 PID 2576 wrote to memory of 2636 2576 Fokdfajl.exe 34 PID 2636 wrote to memory of 636 2636 Fidhof32.exe 35 PID 2636 wrote to memory of 636 2636 Fidhof32.exe 35 PID 2636 wrote to memory of 636 2636 Fidhof32.exe 35 PID 2636 wrote to memory of 636 2636 Fidhof32.exe 35 PID 636 wrote to memory of 1792 636 Fkbdkb32.exe 36 PID 636 wrote to memory of 1792 636 Fkbdkb32.exe 36 PID 636 wrote to memory of 1792 636 Fkbdkb32.exe 36 PID 636 wrote to memory of 1792 636 Fkbdkb32.exe 36 PID 1792 wrote to memory of 2432 1792 Fblmglgm.exe 37 PID 1792 wrote to memory of 2432 1792 Fblmglgm.exe 37 PID 1792 wrote to memory of 2432 1792 Fblmglgm.exe 37 PID 1792 wrote to memory of 2432 1792 Fblmglgm.exe 37 PID 2432 wrote to memory of 2820 2432 Fqomci32.exe 38 PID 2432 wrote to memory of 2820 2432 Fqomci32.exe 38 PID 2432 wrote to memory of 2820 2432 Fqomci32.exe 38 PID 2432 wrote to memory of 2820 2432 Fqomci32.exe 38 PID 2820 wrote to memory of 2012 2820 Fgiepced.exe 39 PID 2820 wrote to memory of 2012 2820 Fgiepced.exe 39 PID 2820 wrote to memory of 2012 2820 Fgiepced.exe 39 PID 2820 wrote to memory of 2012 2820 Fgiepced.exe 39 PID 2012 wrote to memory of 1980 2012 Fjgalndh.exe 40 PID 2012 wrote to memory of 1980 2012 Fjgalndh.exe 40 PID 2012 wrote to memory of 1980 2012 Fjgalndh.exe 40 PID 2012 wrote to memory of 1980 2012 Fjgalndh.exe 40 PID 1980 wrote to memory of 2912 1980 Fmfnhj32.exe 41 PID 1980 wrote to memory of 2912 1980 Fmfnhj32.exe 41 PID 1980 wrote to memory of 2912 1980 Fmfnhj32.exe 41 PID 1980 wrote to memory of 2912 1980 Fmfnhj32.exe 41 PID 2912 wrote to memory of 1964 2912 Femeig32.exe 42 PID 2912 wrote to memory of 1964 2912 Femeig32.exe 42 PID 2912 wrote to memory of 1964 2912 Femeig32.exe 42 PID 2912 wrote to memory of 1964 2912 Femeig32.exe 42 PID 1964 wrote to memory of 2556 1964 Fjjnan32.exe 43 PID 1964 wrote to memory of 2556 1964 Fjjnan32.exe 43 PID 1964 wrote to memory of 2556 1964 Fjjnan32.exe 43 PID 1964 wrote to memory of 2556 1964 Fjjnan32.exe 43 PID 2556 wrote to memory of 2252 2556 Fqcfnhjb.exe 44 PID 2556 wrote to memory of 2252 2556 Fqcfnhjb.exe 44 PID 2556 wrote to memory of 2252 2556 Fqcfnhjb.exe 44 PID 2556 wrote to memory of 2252 2556 Fqcfnhjb.exe 44 PID 2252 wrote to memory of 2240 2252 Fcbbjcif.exe 45 PID 2252 wrote to memory of 2240 2252 Fcbbjcif.exe 45 PID 2252 wrote to memory of 2240 2252 Fcbbjcif.exe 45 PID 2252 wrote to memory of 2240 2252 Fcbbjcif.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe"C:\Users\Admin\AppData\Local\Temp\ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe35⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe36⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe37⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe38⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe39⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe43⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe44⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe45⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe46⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe47⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe48⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe49⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe50⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe51⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe52⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe53⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe54⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe55⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe56⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe58⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe59⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe60⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe61⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe63⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe64⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe65⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe67⤵PID:1160
-
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe69⤵PID:2572
-
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe70⤵PID:1936
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe73⤵PID:1716
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe74⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe75⤵PID:1272
-
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe76⤵PID:2824
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe77⤵PID:2144
-
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe79⤵PID:1940
-
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe80⤵PID:1696
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe81⤵PID:1876
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe82⤵PID:1120
-
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe83⤵PID:1632
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe84⤵PID:2764
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe85⤵PID:1804
-
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe86⤵PID:3016
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe87⤵PID:1584
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe88⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe89⤵PID:1452
-
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe91⤵PID:1056
-
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe92⤵PID:1076
-
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe93⤵PID:1684
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe94⤵PID:1888
-
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe95⤵PID:2380
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe96⤵
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe97⤵PID:1640
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe98⤵PID:2652
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe99⤵PID:1364
-
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe101⤵PID:2108
-
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe102⤵PID:1868
-
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe103⤵PID:700
-
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe104⤵PID:1504
-
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe105⤵PID:2184
-
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe107⤵PID:1644
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe108⤵PID:2880
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe110⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe111⤵PID:1108
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe112⤵PID:2884
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe114⤵PID:2152
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe115⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe116⤵PID:1548
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe117⤵PID:2976
-
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe118⤵PID:1012
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe119⤵PID:264
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-