Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
64bb8bd0278a481460153e2ae4da5460N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
64bb8bd0278a481460153e2ae4da5460N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
64bb8bd0278a481460153e2ae4da5460N.exe
-
Size
88KB
-
MD5
64bb8bd0278a481460153e2ae4da5460
-
SHA1
89916e2722892766f7f7a0d972d9f2a95b88277a
-
SHA256
93efbf9b94314f8a46787bba99010f00de145eaab30f7c99ef8aa7714e15c25d
-
SHA512
ba43366e7ae1eeaaede2c4b2a3e1008a38e1930b9b62e37a37c01ae2f7331f15e053976a395524f12be83d7cae1b470c9296f342eab9c5b730b6d95950e61158
-
SSDEEP
1536:ePWRYheQveuSmHMmtMmEeFTlOB2K019zlnouy8L:QWTQve1ms9xOlOEr9outL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohjmlaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dekeeonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gplebjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhibakmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoomai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhcnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndhddaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqemeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbbiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omgfdhbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaiak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcqep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfjhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljnaocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbmii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcchgini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbheif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdcdfmqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjgqcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhibakmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidfjckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokahhac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplnpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Magfjebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okfmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igcjgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfdfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hibidc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoelpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ninjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfjihdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmkbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlpqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbkchj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoomai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfaqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfilnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjhpcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaqhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganbjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iboghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdgfpbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lelljepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meeopdhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbcgnie.exe -
Executes dropped EXE 64 IoCs
pid Process 2348 Cppakj32.exe 2200 Cfjihdcc.exe 2864 Ckfeic32.exe 2964 Cpbnaj32.exe 2044 Cbajme32.exe 2728 Cikbjpqd.exe 2384 Cmfnjnin.exe 1324 Cbcfbege.exe 2396 Cmikpngk.exe 1964 Cpgglifo.exe 1956 Ccecheeb.exe 808 Cedpdpdf.exe 3032 Cipleo32.exe 656 Coldmfkf.exe 1640 Dakpiajj.exe 2108 Dhehfk32.exe 2408 Dkcebg32.exe 1064 Dammoahg.exe 2096 Deiipp32.exe 1308 Dhgelk32.exe 2668 Dkeahf32.exe 2536 Dndndbnl.exe 1476 Dekeeonn.exe 2352 Dhibakmb.exe 2636 Dkhnmfle.exe 2084 Docjne32.exe 2232 Dpdfemkm.exe 2904 Dkjkcfjc.exe 2996 Djmknb32.exe 2880 Dcepgh32.exe 2724 Dgalhgpg.exe 1712 Epipql32.exe 952 Edelakoq.exe 2304 Echlmh32.exe 316 Egchmfnd.exe 2596 Eoomai32.exe 2928 Egeecf32.exe 2284 Ehgaknbp.exe 1856 Eqnillbb.exe 2412 Eclfhgaf.exe 2424 Ebofcd32.exe 2112 Elejqm32.exe 872 Ekhjlioa.exe 1644 Edpoeoea.exe 1772 Emggflfc.exe 1140 Enhcnd32.exe 640 Ffpkob32.exe 2432 Fdblkoco.exe 1672 Fgqhgjbb.exe 2912 Fohphgce.exe 1492 Fnkpcd32.exe 1412 Fqilppic.exe 2708 Fdehpn32.exe 2832 Fgcdlj32.exe 2008 Fkoqmhii.exe 780 Fjaqhe32.exe 2932 Fbiijb32.exe 1624 Fqkieogp.exe 3024 Fgeabi32.exe 2068 Fkambhgf.exe 2132 Fjdnne32.exe 2172 Fmbjjp32.exe 2524 Feiaknmg.exe 1356 Fghngimj.exe -
Loads dropped DLL 64 IoCs
pid Process 1660 64bb8bd0278a481460153e2ae4da5460N.exe 1660 64bb8bd0278a481460153e2ae4da5460N.exe 2348 Cppakj32.exe 2348 Cppakj32.exe 2200 Cfjihdcc.exe 2200 Cfjihdcc.exe 2864 Ckfeic32.exe 2864 Ckfeic32.exe 2964 Cpbnaj32.exe 2964 Cpbnaj32.exe 2044 Cbajme32.exe 2044 Cbajme32.exe 2728 Cikbjpqd.exe 2728 Cikbjpqd.exe 2384 Cmfnjnin.exe 2384 Cmfnjnin.exe 1324 Cbcfbege.exe 1324 Cbcfbege.exe 2396 Cmikpngk.exe 2396 Cmikpngk.exe 1964 Cpgglifo.exe 1964 Cpgglifo.exe 1956 Ccecheeb.exe 1956 Ccecheeb.exe 808 Cedpdpdf.exe 808 Cedpdpdf.exe 3032 Cipleo32.exe 3032 Cipleo32.exe 656 Coldmfkf.exe 656 Coldmfkf.exe 1640 Dakpiajj.exe 1640 Dakpiajj.exe 2108 Dhehfk32.exe 2108 Dhehfk32.exe 2408 Dkcebg32.exe 2408 Dkcebg32.exe 1064 Dammoahg.exe 1064 Dammoahg.exe 2096 Deiipp32.exe 2096 Deiipp32.exe 1308 Dhgelk32.exe 1308 Dhgelk32.exe 2668 Dkeahf32.exe 2668 Dkeahf32.exe 2536 Dndndbnl.exe 2536 Dndndbnl.exe 1476 Dekeeonn.exe 1476 Dekeeonn.exe 2352 Dhibakmb.exe 2352 Dhibakmb.exe 2636 Dkhnmfle.exe 2636 Dkhnmfle.exe 2084 Docjne32.exe 2084 Docjne32.exe 2232 Dpdfemkm.exe 2232 Dpdfemkm.exe 2904 Dkjkcfjc.exe 2904 Dkjkcfjc.exe 2996 Djmknb32.exe 2996 Djmknb32.exe 2880 Dcepgh32.exe 2880 Dcepgh32.exe 2724 Dgalhgpg.exe 2724 Dgalhgpg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jhniebne.exe Jfpmifoa.exe File opened for modification C:\Windows\SysWOW64\Fbiijb32.exe Fjaqhe32.exe File opened for modification C:\Windows\SysWOW64\Hfdmhh32.exe Hdeall32.exe File created C:\Windows\SysWOW64\Hddpfjgq.dll Noifmmec.exe File created C:\Windows\SysWOW64\Fmmjolll.dll Okfmbm32.exe File opened for modification C:\Windows\SysWOW64\Djmknb32.exe Dkjkcfjc.exe File created C:\Windows\SysWOW64\Cfekom32.dll Oeegnj32.exe File created C:\Windows\SysWOW64\Ondomh32.dll Idemkp32.exe File created C:\Windows\SysWOW64\Pfkidj32.dll Jllakpdk.exe File opened for modification C:\Windows\SysWOW64\Mfkebkjk.exe Mbpibm32.exe File opened for modification C:\Windows\SysWOW64\Cipleo32.exe Cedpdpdf.exe File opened for modification C:\Windows\SysWOW64\Fjdnne32.exe Fkambhgf.exe File created C:\Windows\SysWOW64\Nakahn32.dll Hhopgkin.exe File opened for modification C:\Windows\SysWOW64\Ikmibjkm.exe Ihnmfoli.exe File created C:\Windows\SysWOW64\Lkhalo32.exe Lijepc32.exe File created C:\Windows\SysWOW64\Bpecpkfk.dll Eoomai32.exe File created C:\Windows\SysWOW64\Imkeneja.exe Ikmibjkm.exe File created C:\Windows\SysWOW64\Emadmmop.dll Jndhddaf.exe File opened for modification C:\Windows\SysWOW64\Lfilnh32.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Ganbjb32.exe Gnofng32.exe File created C:\Windows\SysWOW64\Afloik32.dll Gnofng32.exe File created C:\Windows\SysWOW64\Fkoqmhii.exe Fgcdlj32.exe File created C:\Windows\SysWOW64\Bnjgld32.dll Iencdc32.exe File created C:\Windows\SysWOW64\Mmngof32.exe Mmngof32.exe File created C:\Windows\SysWOW64\Ogmngn32.exe Ohjmlaci.exe File created C:\Windows\SysWOW64\Hengep32.exe Habkeacd.exe File created C:\Windows\SysWOW64\Jidbifmb.exe Jkabmi32.exe File created C:\Windows\SysWOW64\Defadnfb.dll Lmqgec32.exe File created C:\Windows\SysWOW64\Hadhjaaa.exe Hmiljb32.exe File opened for modification C:\Windows\SysWOW64\Hfaqbh32.exe Hhopgkin.exe File opened for modification C:\Windows\SysWOW64\Idcqep32.exe Iaddid32.exe File created C:\Windows\SysWOW64\Jgmlmj32.exe Jofdll32.exe File created C:\Windows\SysWOW64\Kkhdml32.exe Kgmilmkb.exe File created C:\Windows\SysWOW64\Hbknmicj.exe Hlqfqo32.exe File opened for modification C:\Windows\SysWOW64\Ibmkbh32.exe Hpoofm32.exe File opened for modification C:\Windows\SysWOW64\Opebpdad.exe Oacbdg32.exe File created C:\Windows\SysWOW64\Gpjilj32.exe Gmlmpo32.exe File opened for modification C:\Windows\SysWOW64\Igcjgk32.exe Idemkp32.exe File opened for modification C:\Windows\SysWOW64\Jfbinf32.exe Jafmngde.exe File opened for modification C:\Windows\SysWOW64\Lkhalo32.exe Lijepc32.exe File opened for modification C:\Windows\SysWOW64\Mffkgl32.exe Mchokq32.exe File created C:\Windows\SysWOW64\Fjdnne32.exe Fkambhgf.exe File created C:\Windows\SysWOW64\Dpgdad32.dll Jcfjhj32.exe File opened for modification C:\Windows\SysWOW64\Fgcdlj32.exe Fdehpn32.exe File opened for modification C:\Windows\SysWOW64\Gfogneop.exe Gcakbjpl.exe File created C:\Windows\SysWOW64\Iijfeeok.dll Iokahhac.exe File created C:\Windows\SysWOW64\Jcfjhj32.exe Jojnglco.exe File opened for modification C:\Windows\SysWOW64\Onlooh32.exe Oeegnj32.exe File created C:\Windows\SysWOW64\Opjlkc32.exe Olopjddf.exe File created C:\Windows\SysWOW64\Jomadboo.dll Cmikpngk.exe File opened for modification C:\Windows\SysWOW64\Dkjkcfjc.exe Dpdfemkm.exe File created C:\Windows\SysWOW64\Igcjgk32.exe Idemkp32.exe File created C:\Windows\SysWOW64\Eqnillbb.exe Ehgaknbp.exe File opened for modification C:\Windows\SysWOW64\Fnkpcd32.exe Fohphgce.exe File created C:\Windows\SysWOW64\Nlcbociq.dll Jakjjcnd.exe File created C:\Windows\SysWOW64\Lojjfo32.exe Lqgjkbop.exe File opened for modification C:\Windows\SysWOW64\Okijhmcm.exe Ogmngn32.exe File created C:\Windows\SysWOW64\Iainddpg.exe Iokahhac.exe File created C:\Windows\SysWOW64\Jofdll32.exe Jlghpa32.exe File opened for modification C:\Windows\SysWOW64\Niqgof32.exe Neekogkm.exe File opened for modification C:\Windows\SysWOW64\Nejdjf32.exe Nmbmii32.exe File opened for modification C:\Windows\SysWOW64\Okfmbm32.exe Nhhqfb32.exe File created C:\Windows\SysWOW64\Hhopgkin.exe Hdcdfmqe.exe File opened for modification C:\Windows\SysWOW64\Mlhmkbhb.exe Mmemoe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4664 4640 WerFault.exe 345 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcdkbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndqbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epipql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echlmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdaid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhibakmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habkeacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnmfoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafmngde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndndbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheofahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoebmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhchg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iencdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcjgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebnigmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeegnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllpflng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchmfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidbifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liboodmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgqcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjlmjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhqeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edelakoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcdfmqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndoifdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqemeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcblkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glaiak32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niqgof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlapaapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogbgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihnmfoli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdffecqf.dll" Iagaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkldbf32.dll" Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcdlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpbkipf.dll" Iboghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Magfjebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmmjl32.dll" Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emggflfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fikgda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnofng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbknmicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hengep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkjdikj.dll" Liboodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnnepij.dll" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikkoh32.dll" Okijhmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onlooh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glcfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakahn32.dll" Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdkhb32.dll" Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjmoj32.dll" Lfilnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glopccij.dll" Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dammoahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbheif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfdhdkf.dll" Nebnigmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ninjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 64bb8bd0278a481460153e2ae4da5460N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpnkep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knpkhhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjnanhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbknfn32.dll" Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfnjnin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqpbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqpbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laeidfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlapaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lomglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpkdjmh.dll" Gbmoceol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgdad32.dll" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll" Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engmglod.dll" Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdomige.dll" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlnid32.dll" Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblmfa32.dll" Kjnanhhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idcqep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaainpb.dll" Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkje32.dll" Fgcdlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnijnjbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndoelpid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2348 1660 64bb8bd0278a481460153e2ae4da5460N.exe 30 PID 1660 wrote to memory of 2348 1660 64bb8bd0278a481460153e2ae4da5460N.exe 30 PID 1660 wrote to memory of 2348 1660 64bb8bd0278a481460153e2ae4da5460N.exe 30 PID 1660 wrote to memory of 2348 1660 64bb8bd0278a481460153e2ae4da5460N.exe 30 PID 2348 wrote to memory of 2200 2348 Cppakj32.exe 31 PID 2348 wrote to memory of 2200 2348 Cppakj32.exe 31 PID 2348 wrote to memory of 2200 2348 Cppakj32.exe 31 PID 2348 wrote to memory of 2200 2348 Cppakj32.exe 31 PID 2200 wrote to memory of 2864 2200 Cfjihdcc.exe 32 PID 2200 wrote to memory of 2864 2200 Cfjihdcc.exe 32 PID 2200 wrote to memory of 2864 2200 Cfjihdcc.exe 32 PID 2200 wrote to memory of 2864 2200 Cfjihdcc.exe 32 PID 2864 wrote to memory of 2964 2864 Ckfeic32.exe 33 PID 2864 wrote to memory of 2964 2864 Ckfeic32.exe 33 PID 2864 wrote to memory of 2964 2864 Ckfeic32.exe 33 PID 2864 wrote to memory of 2964 2864 Ckfeic32.exe 33 PID 2964 wrote to memory of 2044 2964 Cpbnaj32.exe 34 PID 2964 wrote to memory of 2044 2964 Cpbnaj32.exe 34 PID 2964 wrote to memory of 2044 2964 Cpbnaj32.exe 34 PID 2964 wrote to memory of 2044 2964 Cpbnaj32.exe 34 PID 2044 wrote to memory of 2728 2044 Cbajme32.exe 35 PID 2044 wrote to memory of 2728 2044 Cbajme32.exe 35 PID 2044 wrote to memory of 2728 2044 Cbajme32.exe 35 PID 2044 wrote to memory of 2728 2044 Cbajme32.exe 35 PID 2728 wrote to memory of 2384 2728 Cikbjpqd.exe 36 PID 2728 wrote to memory of 2384 2728 Cikbjpqd.exe 36 PID 2728 wrote to memory of 2384 2728 Cikbjpqd.exe 36 PID 2728 wrote to memory of 2384 2728 Cikbjpqd.exe 36 PID 2384 wrote to memory of 1324 2384 Cmfnjnin.exe 37 PID 2384 wrote to memory of 1324 2384 Cmfnjnin.exe 37 PID 2384 wrote to memory of 1324 2384 Cmfnjnin.exe 37 PID 2384 wrote to memory of 1324 2384 Cmfnjnin.exe 37 PID 1324 wrote to memory of 2396 1324 Cbcfbege.exe 38 PID 1324 wrote to memory of 2396 1324 Cbcfbege.exe 38 PID 1324 wrote to memory of 2396 1324 Cbcfbege.exe 38 PID 1324 wrote to memory of 2396 1324 Cbcfbege.exe 38 PID 2396 wrote to memory of 1964 2396 Cmikpngk.exe 39 PID 2396 wrote to memory of 1964 2396 Cmikpngk.exe 39 PID 2396 wrote to memory of 1964 2396 Cmikpngk.exe 39 PID 2396 wrote to memory of 1964 2396 Cmikpngk.exe 39 PID 1964 wrote to memory of 1956 1964 Cpgglifo.exe 40 PID 1964 wrote to memory of 1956 1964 Cpgglifo.exe 40 PID 1964 wrote to memory of 1956 1964 Cpgglifo.exe 40 PID 1964 wrote to memory of 1956 1964 Cpgglifo.exe 40 PID 1956 wrote to memory of 808 1956 Ccecheeb.exe 41 PID 1956 wrote to memory of 808 1956 Ccecheeb.exe 41 PID 1956 wrote to memory of 808 1956 Ccecheeb.exe 41 PID 1956 wrote to memory of 808 1956 Ccecheeb.exe 41 PID 808 wrote to memory of 3032 808 Cedpdpdf.exe 42 PID 808 wrote to memory of 3032 808 Cedpdpdf.exe 42 PID 808 wrote to memory of 3032 808 Cedpdpdf.exe 42 PID 808 wrote to memory of 3032 808 Cedpdpdf.exe 42 PID 3032 wrote to memory of 656 3032 Cipleo32.exe 43 PID 3032 wrote to memory of 656 3032 Cipleo32.exe 43 PID 3032 wrote to memory of 656 3032 Cipleo32.exe 43 PID 3032 wrote to memory of 656 3032 Cipleo32.exe 43 PID 656 wrote to memory of 1640 656 Coldmfkf.exe 44 PID 656 wrote to memory of 1640 656 Coldmfkf.exe 44 PID 656 wrote to memory of 1640 656 Coldmfkf.exe 44 PID 656 wrote to memory of 1640 656 Coldmfkf.exe 44 PID 1640 wrote to memory of 2108 1640 Dakpiajj.exe 45 PID 1640 wrote to memory of 2108 1640 Dakpiajj.exe 45 PID 1640 wrote to memory of 2108 1640 Dakpiajj.exe 45 PID 1640 wrote to memory of 2108 1640 Dakpiajj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\64bb8bd0278a481460153e2ae4da5460N.exe"C:\Users\Admin\AppData\Local\Temp\64bb8bd0278a481460153e2ae4da5460N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Coldmfkf.exeC:\Windows\system32\Coldmfkf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Deiipp32.exeC:\Windows\system32\Deiipp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Egchmfnd.exeC:\Windows\system32\Egchmfnd.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe40⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe41⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe42⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Elejqm32.exeC:\Windows\system32\Elejqm32.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe44⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe45⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe49⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe50⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe53⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Fkoqmhii.exeC:\Windows\system32\Fkoqmhii.exe56⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe58⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe59⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe60⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe62⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe64⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe65⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe67⤵PID:2308
-
C:\Windows\SysWOW64\Fqpbpo32.exeC:\Windows\system32\Fqpbpo32.exe68⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe69⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe70⤵PID:2984
-
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe71⤵PID:1680
-
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe72⤵PID:864
-
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe74⤵PID:1584
-
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe77⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe78⤵PID:2400
-
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe80⤵PID:904
-
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe81⤵PID:1252
-
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe83⤵PID:2056
-
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe84⤵PID:2356
-
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe87⤵PID:2784
-
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe92⤵PID:576
-
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe93⤵PID:1936
-
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe94⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe95⤵PID:844
-
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe96⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe98⤵PID:2820
-
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe100⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe103⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe104⤵PID:600
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe105⤵PID:2128
-
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe106⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe107⤵PID:2208
-
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe111⤵PID:2952
-
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe112⤵PID:916
-
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe116⤵PID:2180
-
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe118⤵PID:1676
-
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe119⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe120⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-