Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 23:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe
-
Size
467KB
-
MD5
f3a3695531196d74229de250db9a7093
-
SHA1
0dada84cae063b4c55c9970b55381572ebce8b70
-
SHA256
7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9
-
SHA512
8d802a9e52e09a7a56501cab095c80b9a334f6fd39043d4a4628a4926572b66e77ba3f951fe4891d762c4dfa859d3a259f07eaa1ad69d7033c493a169e6a2ced
-
SSDEEP
12288:C8A2o8wE39uW8wESByvNv54B9f01ZmHByvNv5:O2o8wDW8wQvr4B9f01ZmQvr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cihqdoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiclop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggjmhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbajjiml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejcnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnghjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqnfiip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfqbgni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkohkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpbeecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogncddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpfmageg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddgnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhhagb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knicjipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmddmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehnmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeiekgfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelgkhdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgoknohj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooianpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgdfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnnomnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkbagjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Genmab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pecikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohifch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpckbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiocobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpgcfmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejfpofkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdanngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pofqhdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aalcdngp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogncddpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcnihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdhflg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeecibci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiclop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcnmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeqmek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbigfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hekfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcnjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hllkhoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmkgqncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcqlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omdbfo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1224 Kncmknkg.exe 2016 Lqdfmihh.exe 2768 Ljljenoi.exe 2884 Lfckko32.exe 2832 Ljadqn32.exe 2620 Lmppmi32.exe 2172 Mncijanc.exe 2804 Mfjaknoe.exe 1792 Mafoal32.exe 2432 Mmmpfm32.exe 1228 Mcghcgfb.exe 2908 Mdidhfdp.exe 1460 Nfgadbcc.exe 3020 Nlibhhme.exe 2376 Neagan32.exe 2116 Nkqlodpk.exe 2536 Oakdkn32.exe 1964 Okefjcle.exe 1672 Omdbfo32.exe 904 Ohifch32.exe 752 Omfoko32.exe 676 Ogncddpg.exe 1556 Onhkan32.exe 3016 Odbcnh32.exe 1600 Oecpeqdo.exe 2036 Pcgqoech.exe 2496 Pefmkpbl.exe 2684 Pamnpahp.exe 2444 Pjdeaohb.exe 2888 Pekffp32.exe 2744 Phibbk32.exe 928 Pnfkjb32.exe 1280 Phkohkkh.exe 2156 Pnhhpaio.exe 2072 Qhnlmjie.exe 2844 Qjoheb32.exe 2792 Qddmbkoi.exe 2952 Adgihkmf.exe 1972 Ageedflj.exe 2668 Ambnlmja.exe 2408 Aclfigao.exe 3036 Aocgnh32.exe 2460 Afmokbop.exe 2540 Amgggm32.exe 1944 Aoedch32.exe 2192 Abcppcdc.exe 2184 Ainhln32.exe 3064 Akldhi32.exe 1908 Abfmecba.exe 2032 Aediaoae.exe 1708 Bgbemjqh.exe 2304 Bojmogak.exe 2872 Bbhikcpn.exe 2196 Begegn32.exe 2592 Bgebcj32.exe 2644 Bnojpdfb.exe 664 Bamfloef.exe 2404 Bclbhkdj.exe 2364 Bjfkde32.exe 2972 Bapcaocc.exe 2936 Bekobn32.exe 2944 Bcnomjbg.exe 2676 Bmfdfpih.exe 1152 Bpepbkhk.exe -
Loads dropped DLL 64 IoCs
pid Process 1712 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe 1712 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe 1224 Kncmknkg.exe 1224 Kncmknkg.exe 2016 Lqdfmihh.exe 2016 Lqdfmihh.exe 2768 Ljljenoi.exe 2768 Ljljenoi.exe 2884 Lfckko32.exe 2884 Lfckko32.exe 2832 Ljadqn32.exe 2832 Ljadqn32.exe 2620 Lmppmi32.exe 2620 Lmppmi32.exe 2172 Mncijanc.exe 2172 Mncijanc.exe 2804 Mfjaknoe.exe 2804 Mfjaknoe.exe 1792 Mafoal32.exe 1792 Mafoal32.exe 2432 Mmmpfm32.exe 2432 Mmmpfm32.exe 1228 Mcghcgfb.exe 1228 Mcghcgfb.exe 2908 Mdidhfdp.exe 2908 Mdidhfdp.exe 1460 Nfgadbcc.exe 1460 Nfgadbcc.exe 3020 Nlibhhme.exe 3020 Nlibhhme.exe 2376 Neagan32.exe 2376 Neagan32.exe 2116 Nkqlodpk.exe 2116 Nkqlodpk.exe 2536 Oakdkn32.exe 2536 Oakdkn32.exe 1964 Okefjcle.exe 1964 Okefjcle.exe 1672 Omdbfo32.exe 1672 Omdbfo32.exe 904 Ohifch32.exe 904 Ohifch32.exe 752 Omfoko32.exe 752 Omfoko32.exe 676 Ogncddpg.exe 676 Ogncddpg.exe 1556 Onhkan32.exe 1556 Onhkan32.exe 3016 Odbcnh32.exe 3016 Odbcnh32.exe 1600 Oecpeqdo.exe 1600 Oecpeqdo.exe 2036 Pcgqoech.exe 2036 Pcgqoech.exe 2496 Pefmkpbl.exe 2496 Pefmkpbl.exe 2684 Pamnpahp.exe 2684 Pamnpahp.exe 2444 Pjdeaohb.exe 2444 Pjdeaohb.exe 2888 Pekffp32.exe 2888 Pekffp32.exe 2744 Phibbk32.exe 2744 Phibbk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fogkhf32.exe Fhmblljb.exe File created C:\Windows\SysWOW64\Meeqkijg.exe Mbgdonkd.exe File created C:\Windows\SysWOW64\Pdecniol.dll Mpkehbjm.exe File created C:\Windows\SysWOW64\Pemnml32.dll Pecikj32.exe File created C:\Windows\SysWOW64\Dephbjgj.dll Qoimmc32.exe File created C:\Windows\SysWOW64\Bpboimpo.dll Fobamgfd.exe File created C:\Windows\SysWOW64\Edanqnba.dll Acbigfii.exe File created C:\Windows\SysWOW64\Bokfaflj.exe Ammjekmg.exe File opened for modification C:\Windows\SysWOW64\Dhfpljnn.exe Ddkdkk32.exe File created C:\Windows\SysWOW64\Caapeidl.dll Dlepmnhq.exe File created C:\Windows\SysWOW64\Digipn32.dll Enmbeehg.exe File created C:\Windows\SysWOW64\Dekfjd32.dll Jinkkgeb.exe File opened for modification C:\Windows\SysWOW64\Lhlgaedj.exe Lbbodk32.exe File opened for modification C:\Windows\SysWOW64\Pokndp32.exe Pgdfbb32.exe File opened for modification C:\Windows\SysWOW64\Foencfda.exe Fhkffl32.exe File created C:\Windows\SysWOW64\Jmigdjnd.dll Dcpagg32.exe File created C:\Windows\SysWOW64\Edeeaj32.dll Ehkjgi32.exe File opened for modification C:\Windows\SysWOW64\Emmljodk.exe Eeecibci.exe File created C:\Windows\SysWOW64\Oioddd32.dll Idligq32.exe File opened for modification C:\Windows\SysWOW64\Kgoknohj.exe Kpecad32.exe File created C:\Windows\SysWOW64\Knnmeh32.exe Kjbqei32.exe File created C:\Windows\SysWOW64\Calgci32.dll Lhjjle32.exe File opened for modification C:\Windows\SysWOW64\Lbieejff.exe Lkomhp32.exe File created C:\Windows\SysWOW64\Cihqdoaa.exe Cjepib32.exe File created C:\Windows\SysWOW64\Dogccico.dll Fdfpfm32.exe File created C:\Windows\SysWOW64\Pnhhpaio.exe Phkohkkh.exe File opened for modification C:\Windows\SysWOW64\Afmokbop.exe Aocgnh32.exe File created C:\Windows\SysWOW64\Bjicnk32.dll Mbgdonkd.exe File created C:\Windows\SysWOW64\Fikkpd32.dll Qecejnco.exe File created C:\Windows\SysWOW64\Kffeei32.dll Bkdclgpl.exe File created C:\Windows\SysWOW64\Adgihkmf.exe Qddmbkoi.exe File opened for modification C:\Windows\SysWOW64\Dmmffbek.exe Dgcnihnn.exe File created C:\Windows\SysWOW64\Hfmfjh32.exe Hbajjiml.exe File opened for modification C:\Windows\SysWOW64\Ndadld32.exe Nmglpjak.exe File created C:\Windows\SysWOW64\Dpaomafp.dll Cnifia32.exe File created C:\Windows\SysWOW64\Dajkjphd.exe Dolondiq.exe File created C:\Windows\SysWOW64\Cbclgajm.dll Ecidbfbb.exe File created C:\Windows\SysWOW64\Dgcnihnn.exe Ddeammok.exe File opened for modification C:\Windows\SysWOW64\Dlbcgo32.exe Dmpckbci.exe File opened for modification C:\Windows\SysWOW64\Fccncknc.exe Fohacl32.exe File created C:\Windows\SysWOW64\Genmab32.exe Gbpaef32.exe File created C:\Windows\SysWOW64\Jllggbde.exe Jinkkgeb.exe File opened for modification C:\Windows\SysWOW64\Akdgmd32.exe Ahfkah32.exe File opened for modification C:\Windows\SysWOW64\Oecpeqdo.exe Odbcnh32.exe File created C:\Windows\SysWOW64\Jpneniod.dll Aocgnh32.exe File opened for modification C:\Windows\SysWOW64\Cbhejf32.exe Cmkmao32.exe File opened for modification C:\Windows\SysWOW64\Imbakfcc.exe Ijddokdo.exe File opened for modification C:\Windows\SysWOW64\Pkdknq32.exe Pcmcmcjc.exe File created C:\Windows\SysWOW64\Namjglek.dll Hllkhoaj.exe File created C:\Windows\SysWOW64\Bnqnai32.dll Llefld32.exe File created C:\Windows\SysWOW64\Ledkdoii.dll Eiclop32.exe File created C:\Windows\SysWOW64\Gfippego.exe Goohckob.exe File created C:\Windows\SysWOW64\Llefld32.exe Lhjjle32.exe File created C:\Windows\SysWOW64\Pecikj32.exe Pmlajm32.exe File created C:\Windows\SysWOW64\Caeaoj32.dll Edbjljpm.exe File opened for modification C:\Windows\SysWOW64\Mfdmdlaj.exe Mpkehbjm.exe File opened for modification C:\Windows\SysWOW64\Qoimmc32.exe Qpfmageg.exe File created C:\Windows\SysWOW64\Bbpioa32.exe Boblbe32.exe File created C:\Windows\SysWOW64\Ljadqn32.exe Lfckko32.exe File opened for modification C:\Windows\SysWOW64\Cocpjf32.exe Clecnk32.exe File created C:\Windows\SysWOW64\Bandoqmk.dll Ggabhmge.exe File created C:\Windows\SysWOW64\Hmphfc32.exe Hidledja.exe File opened for modification C:\Windows\SysWOW64\Klcjfdqi.exe Kjdmjiae.exe File created C:\Windows\SysWOW64\Opgfhf32.dll Hmhgjahb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6104 6072 WerFault.exe 527 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdemegf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfpljnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjdjghf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbajjiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clecnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpjmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdmdlaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekffp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedjfchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpnfjap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnoapba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaaplbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmappn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfidfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqqolfik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcnihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlokdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpecad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooianpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkenmidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdeaohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkohkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihehbpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokfaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcgdojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpendha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcghcgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfmecba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamnpahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chigmlml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkgjgqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjcaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnpjnem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoheb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeiekgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbigfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnmne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcbmend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpbeecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henipenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmokomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgcfmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbcnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddmbkoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Depelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlafmcpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknlmggc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqgbf32.dll" Cbfidfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggabhmge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkdanngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhgnh32.dll" Doibhekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eadejede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlelc32.dll" Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmdbl32.dll" Lnklol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkjpcin.dll" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfoqm32.dll" Fdafkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phifln32.dll" Fknlmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bojmogak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiipfbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekcpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfippego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecibc32.dll" Jgbkdkdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqfiqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dajkjphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clgpckcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlhamp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jllggbde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkainp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcagma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akdgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbkhp32.dll" Ddeammok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neknnm32.dll" Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmadfapb.dll" Fmnoapba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iploja32.dll" Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcjeg32.dll" Kdckgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeqepdc.dll" Eopehg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkpdbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkfncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdiekq32.dll" Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niqijkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anbcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgbncdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjabnoie.dll" Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klojje32.dll" Epkhfkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Begegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfifc32.dll" Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alombeqd.dll" Eccadhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhndk32.dll" Ihehbpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbagmmf.dll" Odhjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccogijj.dll" Gckmgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clecnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiipfbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enmbeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjjgpdc.dll" Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjpec32.dll" Mcokhaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjepib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdnfk32.dll" Dmcidqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pefmkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbmoeeod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddeammok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefaafcm.dll" Gdlplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlhamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pigkjmap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcnjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbajjiml.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1224 1712 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe 29 PID 1712 wrote to memory of 1224 1712 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe 29 PID 1712 wrote to memory of 1224 1712 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe 29 PID 1712 wrote to memory of 1224 1712 7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe 29 PID 1224 wrote to memory of 2016 1224 Kncmknkg.exe 30 PID 1224 wrote to memory of 2016 1224 Kncmknkg.exe 30 PID 1224 wrote to memory of 2016 1224 Kncmknkg.exe 30 PID 1224 wrote to memory of 2016 1224 Kncmknkg.exe 30 PID 2016 wrote to memory of 2768 2016 Lqdfmihh.exe 31 PID 2016 wrote to memory of 2768 2016 Lqdfmihh.exe 31 PID 2016 wrote to memory of 2768 2016 Lqdfmihh.exe 31 PID 2016 wrote to memory of 2768 2016 Lqdfmihh.exe 31 PID 2768 wrote to memory of 2884 2768 Ljljenoi.exe 32 PID 2768 wrote to memory of 2884 2768 Ljljenoi.exe 32 PID 2768 wrote to memory of 2884 2768 Ljljenoi.exe 32 PID 2768 wrote to memory of 2884 2768 Ljljenoi.exe 32 PID 2884 wrote to memory of 2832 2884 Lfckko32.exe 33 PID 2884 wrote to memory of 2832 2884 Lfckko32.exe 33 PID 2884 wrote to memory of 2832 2884 Lfckko32.exe 33 PID 2884 wrote to memory of 2832 2884 Lfckko32.exe 33 PID 2832 wrote to memory of 2620 2832 Ljadqn32.exe 34 PID 2832 wrote to memory of 2620 2832 Ljadqn32.exe 34 PID 2832 wrote to memory of 2620 2832 Ljadqn32.exe 34 PID 2832 wrote to memory of 2620 2832 Ljadqn32.exe 34 PID 2620 wrote to memory of 2172 2620 Lmppmi32.exe 35 PID 2620 wrote to memory of 2172 2620 Lmppmi32.exe 35 PID 2620 wrote to memory of 2172 2620 Lmppmi32.exe 35 PID 2620 wrote to memory of 2172 2620 Lmppmi32.exe 35 PID 2172 wrote to memory of 2804 2172 Mncijanc.exe 36 PID 2172 wrote to memory of 2804 2172 Mncijanc.exe 36 PID 2172 wrote to memory of 2804 2172 Mncijanc.exe 36 PID 2172 wrote to memory of 2804 2172 Mncijanc.exe 36 PID 2804 wrote to memory of 1792 2804 Mfjaknoe.exe 37 PID 2804 wrote to memory of 1792 2804 Mfjaknoe.exe 37 PID 2804 wrote to memory of 1792 2804 Mfjaknoe.exe 37 PID 2804 wrote to memory of 1792 2804 Mfjaknoe.exe 37 PID 1792 wrote to memory of 2432 1792 Mafoal32.exe 38 PID 1792 wrote to memory of 2432 1792 Mafoal32.exe 38 PID 1792 wrote to memory of 2432 1792 Mafoal32.exe 38 PID 1792 wrote to memory of 2432 1792 Mafoal32.exe 38 PID 2432 wrote to memory of 1228 2432 Mmmpfm32.exe 39 PID 2432 wrote to memory of 1228 2432 Mmmpfm32.exe 39 PID 2432 wrote to memory of 1228 2432 Mmmpfm32.exe 39 PID 2432 wrote to memory of 1228 2432 Mmmpfm32.exe 39 PID 1228 wrote to memory of 2908 1228 Mcghcgfb.exe 40 PID 1228 wrote to memory of 2908 1228 Mcghcgfb.exe 40 PID 1228 wrote to memory of 2908 1228 Mcghcgfb.exe 40 PID 1228 wrote to memory of 2908 1228 Mcghcgfb.exe 40 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 1460 wrote to memory of 3020 1460 Nfgadbcc.exe 42 PID 1460 wrote to memory of 3020 1460 Nfgadbcc.exe 42 PID 1460 wrote to memory of 3020 1460 Nfgadbcc.exe 42 PID 1460 wrote to memory of 3020 1460 Nfgadbcc.exe 42 PID 3020 wrote to memory of 2376 3020 Nlibhhme.exe 43 PID 3020 wrote to memory of 2376 3020 Nlibhhme.exe 43 PID 3020 wrote to memory of 2376 3020 Nlibhhme.exe 43 PID 3020 wrote to memory of 2376 3020 Nlibhhme.exe 43 PID 2376 wrote to memory of 2116 2376 Neagan32.exe 44 PID 2376 wrote to memory of 2116 2376 Neagan32.exe 44 PID 2376 wrote to memory of 2116 2376 Neagan32.exe 44 PID 2376 wrote to memory of 2116 2376 Neagan32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe"C:\Users\Admin\AppData\Local\Temp\7d07f74301cdf2aea3826ce3d2414b294d252eace238bab3271f7d150bb0faf9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kncmknkg.exeC:\Windows\system32\Kncmknkg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Lqdfmihh.exeC:\Windows\system32\Lqdfmihh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lfckko32.exeC:\Windows\system32\Lfckko32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ljadqn32.exeC:\Windows\system32\Ljadqn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lmppmi32.exeC:\Windows\system32\Lmppmi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Mfjaknoe.exeC:\Windows\system32\Mfjaknoe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mafoal32.exeC:\Windows\system32\Mafoal32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Mmmpfm32.exeC:\Windows\system32\Mmmpfm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Mcghcgfb.exeC:\Windows\system32\Mcghcgfb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Nfgadbcc.exeC:\Windows\system32\Nfgadbcc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Nlibhhme.exeC:\Windows\system32\Nlibhhme.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Neagan32.exeC:\Windows\system32\Neagan32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Nkqlodpk.exeC:\Windows\system32\Nkqlodpk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Omdbfo32.exeC:\Windows\system32\Omdbfo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Ogncddpg.exeC:\Windows\system32\Ogncddpg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe35⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe36⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe39⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe40⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe41⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe44⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe45⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe46⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe47⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe51⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe52⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Bgebcj32.exeC:\Windows\system32\Bgebcj32.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe58⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Bclbhkdj.exeC:\Windows\system32\Bclbhkdj.exe59⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe60⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe61⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe62⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Bcnomjbg.exeC:\Windows\system32\Bcnomjbg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe64⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Bpepbkhk.exeC:\Windows\system32\Bpepbkhk.exe65⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe67⤵PID:2176
-
C:\Windows\SysWOW64\Bpgmhkfi.exeC:\Windows\system32\Bpgmhkfi.exe68⤵PID:1012
-
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Cipaqqli.exeC:\Windows\system32\Cipaqqli.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1060 -
C:\Windows\SysWOW64\Cmkmao32.exeC:\Windows\system32\Cmkmao32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe72⤵PID:2276
-
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe73⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe74⤵PID:2852
-
C:\Windows\SysWOW64\Cffnpdip.exeC:\Windows\system32\Cffnpdip.exe75⤵PID:2876
-
C:\Windows\SysWOW64\Cidklp32.exeC:\Windows\system32\Cidklp32.exe76⤵PID:2584
-
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe77⤵PID:2504
-
C:\Windows\SysWOW64\Cbmoeeod.exeC:\Windows\system32\Cbmoeeod.exe78⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Capopb32.exeC:\Windows\system32\Capopb32.exe79⤵PID:2984
-
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe80⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe82⤵PID:2200
-
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe83⤵PID:1048
-
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe84⤵PID:1968
-
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe85⤵PID:920
-
C:\Windows\SysWOW64\Clgpckcb.exeC:\Windows\system32\Clgpckcb.exe86⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Dhnahl32.exeC:\Windows\system32\Dhnahl32.exe88⤵PID:1612
-
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe89⤵PID:1956
-
C:\Windows\SysWOW64\Dohiefpc.exeC:\Windows\system32\Dohiefpc.exe90⤵PID:2788
-
C:\Windows\SysWOW64\Ddeammok.exeC:\Windows\system32\Ddeammok.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Dmmffbek.exeC:\Windows\system32\Dmmffbek.exe93⤵PID:2756
-
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe94⤵PID:1788
-
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe96⤵PID:1868
-
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe98⤵PID:2916
-
C:\Windows\SysWOW64\Dcmkciap.exeC:\Windows\system32\Dcmkciap.exe99⤵PID:2020
-
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe100⤵PID:2308
-
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe101⤵PID:796
-
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe102⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe103⤵PID:912
-
C:\Windows\SysWOW64\Dgjdjghf.exeC:\Windows\system32\Dgjdjghf.exe104⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Eiipfbgj.exeC:\Windows\system32\Eiipfbgj.exe105⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe106⤵PID:2208
-
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe107⤵PID:2248
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe108⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Ehnmgo32.exeC:\Windows\system32\Ehnmgo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:660 -
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe110⤵PID:2312
-
C:\Windows\SysWOW64\Eccadhkh.exeC:\Windows\system32\Eccadhkh.exe111⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Eafapd32.exeC:\Windows\system32\Eafapd32.exe112⤵PID:2428
-
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe113⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Ekofijic.exeC:\Windows\system32\Ekofijic.exe114⤵PID:2088
-
C:\Windows\SysWOW64\Enmbeehg.exeC:\Windows\system32\Enmbeehg.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Eedjfchi.exeC:\Windows\system32\Eedjfchi.exe116⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Ehbgbngm.exeC:\Windows\system32\Ehbgbngm.exe117⤵PID:2344
-
C:\Windows\SysWOW64\Eomoohoi.exeC:\Windows\system32\Eomoohoi.exe118⤵PID:2352
-
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Ediggoma.exeC:\Windows\system32\Ediggoma.exe120⤵PID:2324
-
C:\Windows\SysWOW64\Ekcpdi32.exeC:\Windows\system32\Ekcpdi32.exe121⤵
- Modifies registry class
PID:1432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-