Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 00:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe
-
Size
64KB
-
MD5
0c4a8219f77c7c5dc5db2be1e905b1a0
-
SHA1
e14c375f3a3aefa24a56f4b4332b5ff9ac1e6277
-
SHA256
89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52c
-
SHA512
bc007af09a8927a10e75101e3e071ff5531585e5b5aa31a036dd4da6f05513f40172a473f0a78e0f15c3efdc573b99d255c2b6ae7836f435c060c55f4c51d41c
-
SSDEEP
1536:L++SbKwlGGwBG59htTf8tt4lUXruCHcpzt/Idn:VkTlGGUM9htT6tipFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieofkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieofkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agihgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiffkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fleifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpdmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnmienj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnibcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlfjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddjlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmepgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmollme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhdaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieaofmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhdaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjeglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkeokjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egonhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmcjedcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjobffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daplkmbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piabdiep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdkef32.exe -
Executes dropped EXE 64 IoCs
pid Process 2580 Khkbbc32.exe 2104 Kpgffe32.exe 2964 Kcgphp32.exe 2828 Lcjlnpmo.exe 2788 Lfkeokjp.exe 2764 Lbafdlod.exe 2792 Lgqkbb32.exe 524 Mnmpdlac.exe 2664 Mkqqnq32.exe 1772 Mnaiol32.exe 2000 Mqbbagjo.exe 3012 Nmkplgnq.exe 2248 Ngealejo.exe 2424 Nameek32.exe 1980 Nbmaon32.exe 1552 Nabopjmj.exe 1036 Opglafab.exe 1192 Oippjl32.exe 2640 Obhdcanc.exe 2312 Omnipjni.exe 2504 Oeindm32.exe 1016 Opnbbe32.exe 2432 Oiffkkbk.exe 2620 Oococb32.exe 1760 Pepcelel.exe 2956 Pohhna32.exe 584 Pgcmbcih.exe 2880 Pdgmlhha.exe 2684 Paknelgk.exe 2704 Pghfnc32.exe 2732 Qndkpmkm.exe 2688 Qdncmgbj.exe 2660 Qnghel32.exe 1144 Accqnc32.exe 1080 Ahpifj32.exe 1128 Ajpepm32.exe 2004 Aomnhd32.exe 2636 Adifpk32.exe 1808 Alqnah32.exe 2420 Aficjnpm.exe 1868 Agjobffl.exe 940 Abpcooea.exe 968 Bgllgedi.exe 1148 Bbbpenco.exe 1556 Cbppnbhm.exe 2400 Ciihklpj.exe 1084 Cileqlmg.exe 2408 Cbdiia32.exe 1104 Cgaaah32.exe 2472 Cnkjnb32.exe 2524 Cgcnghpl.exe 2804 Cnmfdb32.exe 2952 Calcpm32.exe 2928 Cgfkmgnj.exe 2748 Djfdob32.exe 1664 Daplkmbg.exe 2368 Dbaice32.exe 1996 Dpeiligo.exe 1764 Dfpaic32.exe 3028 Dmijfmfi.exe 2132 Dphfbiem.exe 1492 Dfbnoc32.exe 1516 Dlofgj32.exe 236 Eibgpnjk.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe 2188 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe 2580 Khkbbc32.exe 2580 Khkbbc32.exe 2104 Kpgffe32.exe 2104 Kpgffe32.exe 2964 Kcgphp32.exe 2964 Kcgphp32.exe 2828 Lcjlnpmo.exe 2828 Lcjlnpmo.exe 2788 Lfkeokjp.exe 2788 Lfkeokjp.exe 2764 Lbafdlod.exe 2764 Lbafdlod.exe 2792 Lgqkbb32.exe 2792 Lgqkbb32.exe 524 Mnmpdlac.exe 524 Mnmpdlac.exe 2664 Mkqqnq32.exe 2664 Mkqqnq32.exe 1772 Mnaiol32.exe 1772 Mnaiol32.exe 2000 Mqbbagjo.exe 2000 Mqbbagjo.exe 3012 Nmkplgnq.exe 3012 Nmkplgnq.exe 2248 Ngealejo.exe 2248 Ngealejo.exe 2424 Nameek32.exe 2424 Nameek32.exe 1980 Nbmaon32.exe 1980 Nbmaon32.exe 1552 Nabopjmj.exe 1552 Nabopjmj.exe 1036 Opglafab.exe 1036 Opglafab.exe 1192 Oippjl32.exe 1192 Oippjl32.exe 2640 Obhdcanc.exe 2640 Obhdcanc.exe 2312 Omnipjni.exe 2312 Omnipjni.exe 2504 Oeindm32.exe 2504 Oeindm32.exe 1016 Opnbbe32.exe 1016 Opnbbe32.exe 2432 Oiffkkbk.exe 2432 Oiffkkbk.exe 2620 Oococb32.exe 2620 Oococb32.exe 1760 Pepcelel.exe 1760 Pepcelel.exe 2956 Pohhna32.exe 2956 Pohhna32.exe 584 Pgcmbcih.exe 584 Pgcmbcih.exe 2880 Pdgmlhha.exe 2880 Pdgmlhha.exe 2684 Paknelgk.exe 2684 Paknelgk.exe 2704 Pghfnc32.exe 2704 Pghfnc32.exe 2732 Qndkpmkm.exe 2732 Qndkpmkm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kbmfgk32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Aemgfj32.dll Aacmij32.exe File created C:\Windows\SysWOW64\Anjnnk32.exe Ahmefdcp.exe File created C:\Windows\SysWOW64\Paknelgk.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Bgllgedi.exe File created C:\Windows\SysWOW64\Epeekmjk.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Ljdpbj32.dll Fahhnn32.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Kjeglh32.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Aomnhd32.exe File opened for modification C:\Windows\SysWOW64\Ahmefdcp.exe Aacmij32.exe File opened for modification C:\Windows\SysWOW64\Ajehnk32.exe Agglbp32.exe File created C:\Windows\SysWOW64\Dnlcjk32.dll Ingkdeak.exe File created C:\Windows\SysWOW64\Boifga32.exe Bhonjg32.exe File created C:\Windows\SysWOW64\Enemcbio.dll Oiffkkbk.exe File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe Alqnah32.exe File created C:\Windows\SysWOW64\Eanldqgf.exe Elacliin.exe File created C:\Windows\SysWOW64\Mhniklfm.dll Kpgffe32.exe File created C:\Windows\SysWOW64\Coicfd32.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Pnchhllf.exe Oaogognm.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Deondj32.exe File created C:\Windows\SysWOW64\Cdoime32.dll Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Ajpepm32.exe File created C:\Windows\SysWOW64\Omakjj32.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Djfdob32.exe Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Kmegjdad.exe Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Ckeqga32.exe Ccnifd32.exe File opened for modification C:\Windows\SysWOW64\Kapohbfp.exe Kjeglh32.exe File created C:\Windows\SysWOW64\Opglafab.exe Nabopjmj.exe File opened for modification C:\Windows\SysWOW64\Qnghel32.exe Qdncmgbj.exe File opened for modification C:\Windows\SysWOW64\Jajmjcoe.exe Jjpdmi32.exe File created C:\Windows\SysWOW64\Gbccnjjb.dll Gqlhkofn.exe File created C:\Windows\SysWOW64\Engeeehn.dll Cjljnn32.exe File created C:\Windows\SysWOW64\Bccjfi32.dll Libjncnc.exe File created C:\Windows\SysWOW64\Pghfnc32.exe Paknelgk.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Gdnibjgk.dll Djfdob32.exe File created C:\Windows\SysWOW64\Alageg32.exe Ajckilei.exe File created C:\Windows\SysWOW64\Phoogg32.dll Ajehnk32.exe File created C:\Windows\SysWOW64\Inppon32.dll Bqmpdioa.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Nameek32.exe File created C:\Windows\SysWOW64\Geoghd32.dll Ieofkp32.exe File opened for modification C:\Windows\SysWOW64\Qaapcj32.exe Qldhkc32.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Fnibcd32.exe Fhljkm32.exe File opened for modification C:\Windows\SysWOW64\Deondj32.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Iblkei32.dll Ijphofem.exe File created C:\Windows\SysWOW64\Nhknco32.dll Jenbjc32.exe File created C:\Windows\SysWOW64\Kbmfgk32.exe Jieaofmp.exe File opened for modification C:\Windows\SysWOW64\Kilgoe32.exe Kpdcfoph.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Cfehhn32.exe File created C:\Windows\SysWOW64\Ngealejo.exe Nmkplgnq.exe File opened for modification C:\Windows\SysWOW64\Pdgmlhha.exe Pgcmbcih.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Pgcmbcih.exe File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe Emdeok32.exe File created C:\Windows\SysWOW64\Ljpfmo32.dll Ifgicg32.exe File created C:\Windows\SysWOW64\Jnpojnle.dll Ppddpd32.exe File opened for modification C:\Windows\SysWOW64\Apppkekc.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Apimlcdc.dll Piabdiep.exe File opened for modification C:\Windows\SysWOW64\Oococb32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Olbkdn32.dll Qdncmgbj.exe File created C:\Windows\SysWOW64\Ephbal32.exe Egonhf32.exe File opened for modification C:\Windows\SysWOW64\Dphfbiem.exe Dmijfmfi.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Hcdgmimg.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hiclkp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3856 3568 WerFault.exe 274 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibcoalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piliii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elacliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkalhgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnkifgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmpdioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fleifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfiema32.dll" Hghillnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehoblpm.dll" Qaapcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgfah32.dll" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihdl32.dll" Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elacliin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Makpje32.dll" Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgghac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjljfn32.dll" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklcci32.dll" Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naolaobc.dll" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifjic32.dll" Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhngh32.dll" Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkng32.dll" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbahid32.dll" Dpeiligo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeekmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajckilei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbllnlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edidqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghacfmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigbebhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kpieengb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmpj32.dll" Dphfbiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" Agjobffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjleclph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjogcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoogg32.dll" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fniamd32.dll" Kilgoe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2580 2188 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe 30 PID 2188 wrote to memory of 2580 2188 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe 30 PID 2188 wrote to memory of 2580 2188 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe 30 PID 2188 wrote to memory of 2580 2188 89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe 30 PID 2580 wrote to memory of 2104 2580 Khkbbc32.exe 31 PID 2580 wrote to memory of 2104 2580 Khkbbc32.exe 31 PID 2580 wrote to memory of 2104 2580 Khkbbc32.exe 31 PID 2580 wrote to memory of 2104 2580 Khkbbc32.exe 31 PID 2104 wrote to memory of 2964 2104 Kpgffe32.exe 32 PID 2104 wrote to memory of 2964 2104 Kpgffe32.exe 32 PID 2104 wrote to memory of 2964 2104 Kpgffe32.exe 32 PID 2104 wrote to memory of 2964 2104 Kpgffe32.exe 32 PID 2964 wrote to memory of 2828 2964 Kcgphp32.exe 33 PID 2964 wrote to memory of 2828 2964 Kcgphp32.exe 33 PID 2964 wrote to memory of 2828 2964 Kcgphp32.exe 33 PID 2964 wrote to memory of 2828 2964 Kcgphp32.exe 33 PID 2828 wrote to memory of 2788 2828 Lcjlnpmo.exe 34 PID 2828 wrote to memory of 2788 2828 Lcjlnpmo.exe 34 PID 2828 wrote to memory of 2788 2828 Lcjlnpmo.exe 34 PID 2828 wrote to memory of 2788 2828 Lcjlnpmo.exe 34 PID 2788 wrote to memory of 2764 2788 Lfkeokjp.exe 35 PID 2788 wrote to memory of 2764 2788 Lfkeokjp.exe 35 PID 2788 wrote to memory of 2764 2788 Lfkeokjp.exe 35 PID 2788 wrote to memory of 2764 2788 Lfkeokjp.exe 35 PID 2764 wrote to memory of 2792 2764 Lbafdlod.exe 36 PID 2764 wrote to memory of 2792 2764 Lbafdlod.exe 36 PID 2764 wrote to memory of 2792 2764 Lbafdlod.exe 36 PID 2764 wrote to memory of 2792 2764 Lbafdlod.exe 36 PID 2792 wrote to memory of 524 2792 Lgqkbb32.exe 37 PID 2792 wrote to memory of 524 2792 Lgqkbb32.exe 37 PID 2792 wrote to memory of 524 2792 Lgqkbb32.exe 37 PID 2792 wrote to memory of 524 2792 Lgqkbb32.exe 37 PID 524 wrote to memory of 2664 524 Mnmpdlac.exe 38 PID 524 wrote to memory of 2664 524 Mnmpdlac.exe 38 PID 524 wrote to memory of 2664 524 Mnmpdlac.exe 38 PID 524 wrote to memory of 2664 524 Mnmpdlac.exe 38 PID 2664 wrote to memory of 1772 2664 Mkqqnq32.exe 39 PID 2664 wrote to memory of 1772 2664 Mkqqnq32.exe 39 PID 2664 wrote to memory of 1772 2664 Mkqqnq32.exe 39 PID 2664 wrote to memory of 1772 2664 Mkqqnq32.exe 39 PID 1772 wrote to memory of 2000 1772 Mnaiol32.exe 40 PID 1772 wrote to memory of 2000 1772 Mnaiol32.exe 40 PID 1772 wrote to memory of 2000 1772 Mnaiol32.exe 40 PID 1772 wrote to memory of 2000 1772 Mnaiol32.exe 40 PID 2000 wrote to memory of 3012 2000 Mqbbagjo.exe 41 PID 2000 wrote to memory of 3012 2000 Mqbbagjo.exe 41 PID 2000 wrote to memory of 3012 2000 Mqbbagjo.exe 41 PID 2000 wrote to memory of 3012 2000 Mqbbagjo.exe 41 PID 3012 wrote to memory of 2248 3012 Nmkplgnq.exe 42 PID 3012 wrote to memory of 2248 3012 Nmkplgnq.exe 42 PID 3012 wrote to memory of 2248 3012 Nmkplgnq.exe 42 PID 3012 wrote to memory of 2248 3012 Nmkplgnq.exe 42 PID 2248 wrote to memory of 2424 2248 Ngealejo.exe 43 PID 2248 wrote to memory of 2424 2248 Ngealejo.exe 43 PID 2248 wrote to memory of 2424 2248 Ngealejo.exe 43 PID 2248 wrote to memory of 2424 2248 Ngealejo.exe 43 PID 2424 wrote to memory of 1980 2424 Nameek32.exe 44 PID 2424 wrote to memory of 1980 2424 Nameek32.exe 44 PID 2424 wrote to memory of 1980 2424 Nameek32.exe 44 PID 2424 wrote to memory of 1980 2424 Nameek32.exe 44 PID 1980 wrote to memory of 1552 1980 Nbmaon32.exe 45 PID 1980 wrote to memory of 1552 1980 Nbmaon32.exe 45 PID 1980 wrote to memory of 1552 1980 Nbmaon32.exe 45 PID 1980 wrote to memory of 1552 1980 Nbmaon32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe"C:\Users\Admin\AppData\Local\Temp\89aeb2efa83f04f9b5bacf6f4fa2c07470fba27b069463aae53d994831d2d52cN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe35⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe39⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe45⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe48⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe49⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe52⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe54⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe60⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe64⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe65⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe67⤵PID:2164
-
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe69⤵PID:264
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe70⤵PID:2076
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe76⤵PID:2736
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe77⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe78⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe80⤵PID:2276
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe81⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe83⤵PID:1828
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe84⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe87⤵PID:2336
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe88⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe89⤵PID:2532
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe91⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe92⤵PID:1532
-
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe93⤵PID:1832
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe95⤵PID:1984
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe97⤵PID:1064
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe98⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe102⤵PID:2168
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe103⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe104⤵PID:2696
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe105⤵PID:2816
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe106⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe108⤵PID:2588
-
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe109⤵
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe111⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe113⤵PID:3040
-
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe114⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe115⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe116⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe119⤵PID:1788
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-