Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 10:40 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ddca3db8deab743d856ad9fe47934e50N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ddca3db8deab743d856ad9fe47934e50N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ddca3db8deab743d856ad9fe47934e50N.exe
-
Size
363KB
-
MD5
ddca3db8deab743d856ad9fe47934e50
-
SHA1
d2e9a660c2ef3a93d35a78a85f43b14fef596ef4
-
SHA256
df9b56e0d1e99bd3d59606b4ebe7a77b0d3f2fdc020e96fe2940824893f596f9
-
SHA512
dfdfea897b2cda09f4d3048abc8d03789ae651dfbd29a7ef8a90d5db4f2453ad982196d8c0612edeb5641e783331942876c639d439da31d633c5773244e53329
-
SSDEEP
6144:S0XTtrH5tTDUZNSN58VU5tTt50NoYnX5tTDUZNSN58VU5tT:SYTt75t6NSN6G5tb0fX5t6NSN6G5t
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckecpjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhflcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plndcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhnqfla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beadgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidaba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnqphhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilmbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dochelmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnqjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnehado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnjeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aicmadmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeoongd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmocbnop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpqcpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgccbhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkmjlca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfaqfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amafgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdpohodn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgcio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpjlmc.exe -
Executes dropped EXE 64 IoCs
pid Process 2616 Jmlfmn32.exe 2788 Jecnnk32.exe 2948 Jfekec32.exe 2612 Jmocbnop.exe 2536 Kihpmnbb.exe 2168 Kbbakc32.exe 660 Khojcj32.exe 572 Lajkbp32.exe 2208 Lkbpke32.exe 2708 Lophacfl.exe 2912 Lpaehl32.exe 1680 Ldpnoj32.exe 1492 Lilfgq32.exe 1684 Mpikik32.exe 2344 Meecaa32.exe 1000 Mpkhoj32.exe 1436 Mhflcm32.exe 2012 Mopdpg32.exe 2996 Mdmmhn32.exe 1672 Mobaef32.exe 1008 Meljbqna.exe 1788 Mkibjgli.exe 2312 Macjgadf.exe 2632 Nklopg32.exe 2680 Nphghn32.exe 2644 Ngbpehpj.exe 2672 Nnlhab32.exe 2844 Ngeljh32.exe 2524 Njchfc32.exe 2600 Nqmqcmdh.exe 448 Nfjildbp.exe 1324 Ncnjeh32.exe 1904 Nflfad32.exe 884 Oodjjign.exe 2932 Ofobgc32.exe 2888 Ooggpiek.exe 2744 Oddphp32.exe 604 Oknhdjko.exe 704 Oqkpmaif.exe 1352 Ogdhik32.exe 1692 Ojceef32.exe 2000 Oqmmbqgd.exe 1264 Oggeokoq.exe 2984 Onamle32.exe 2100 Oqojhp32.exe 2260 Pjhnqfla.exe 1724 Pmfjmake.exe 2668 Pglojj32.exe 2760 Pimkbbpi.exe 2824 Padccpal.exe 2596 Pbepkh32.exe 1596 Piohgbng.exe 1396 Plndcmmj.exe 2564 Pcdldknm.exe 2748 Pefhlcdk.exe 3024 Pmmqmpdm.exe 476 Ppkmjlca.exe 1404 Pfeeff32.exe 3040 Pidaba32.exe 2424 Plbmom32.exe 1428 Qnqjkh32.exe 1208 Qaofgc32.exe 2476 Qifnhaho.exe 1088 Qldjdlgb.exe -
Loads dropped DLL 64 IoCs
pid Process 624 ddca3db8deab743d856ad9fe47934e50N.exe 624 ddca3db8deab743d856ad9fe47934e50N.exe 2616 Jmlfmn32.exe 2616 Jmlfmn32.exe 2788 Jecnnk32.exe 2788 Jecnnk32.exe 2948 Jfekec32.exe 2948 Jfekec32.exe 2612 Jmocbnop.exe 2612 Jmocbnop.exe 2536 Kihpmnbb.exe 2536 Kihpmnbb.exe 2168 Kbbakc32.exe 2168 Kbbakc32.exe 660 Khojcj32.exe 660 Khojcj32.exe 572 Lajkbp32.exe 572 Lajkbp32.exe 2208 Lkbpke32.exe 2208 Lkbpke32.exe 2708 Lophacfl.exe 2708 Lophacfl.exe 2912 Lpaehl32.exe 2912 Lpaehl32.exe 1680 Ldpnoj32.exe 1680 Ldpnoj32.exe 1492 Lilfgq32.exe 1492 Lilfgq32.exe 1684 Mpikik32.exe 1684 Mpikik32.exe 2344 Meecaa32.exe 2344 Meecaa32.exe 1000 Mpkhoj32.exe 1000 Mpkhoj32.exe 1436 Mhflcm32.exe 1436 Mhflcm32.exe 2012 Mopdpg32.exe 2012 Mopdpg32.exe 2996 Mdmmhn32.exe 2996 Mdmmhn32.exe 1672 Mobaef32.exe 1672 Mobaef32.exe 1008 Meljbqna.exe 1008 Meljbqna.exe 1788 Mkibjgli.exe 1788 Mkibjgli.exe 2312 Macjgadf.exe 2312 Macjgadf.exe 2632 Nklopg32.exe 2632 Nklopg32.exe 2680 Nphghn32.exe 2680 Nphghn32.exe 2644 Ngbpehpj.exe 2644 Ngbpehpj.exe 2672 Nnlhab32.exe 2672 Nnlhab32.exe 2844 Ngeljh32.exe 2844 Ngeljh32.exe 2524 Njchfc32.exe 2524 Njchfc32.exe 2600 Nqmqcmdh.exe 2600 Nqmqcmdh.exe 448 Nfjildbp.exe 448 Nfjildbp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mdmmhn32.exe Mopdpg32.exe File created C:\Windows\SysWOW64\Djqdbbek.dll Pmmqmpdm.exe File opened for modification C:\Windows\SysWOW64\Appbcn32.exe Amafgc32.exe File created C:\Windows\SysWOW64\Blniinac.exe Bedamd32.exe File created C:\Windows\SysWOW64\Ckhpejbf.exe Ccqhdmbc.exe File created C:\Windows\SysWOW64\Khojcj32.exe Kbbakc32.exe File opened for modification C:\Windows\SysWOW64\Lkbpke32.exe Lajkbp32.exe File created C:\Windows\SysWOW64\Plndcmmj.exe Piohgbng.exe File opened for modification C:\Windows\SysWOW64\Qncfphff.exe Qldjdlgb.exe File opened for modification C:\Windows\SysWOW64\Adgein32.exe Ammmlcgi.exe File created C:\Windows\SysWOW64\Baclaf32.exe Blgcio32.exe File created C:\Windows\SysWOW64\Pglojj32.exe Pmfjmake.exe File created C:\Windows\SysWOW64\Pefhlcdk.exe Pcdldknm.exe File created C:\Windows\SysWOW64\Ablbjj32.exe Albjnplq.exe File created C:\Windows\SysWOW64\Cfcmlg32.exe Cceapl32.exe File created C:\Windows\SysWOW64\Inhcgajk.dll Dhdfmbjc.exe File created C:\Windows\SysWOW64\Nlaaie32.dll Ecnpdnho.exe File opened for modification C:\Windows\SysWOW64\Jmocbnop.exe Jfekec32.exe File created C:\Windows\SysWOW64\Ngeljh32.exe Nnlhab32.exe File opened for modification C:\Windows\SysWOW64\Aicmadmm.exe Afeaei32.exe File opened for modification C:\Windows\SysWOW64\Blniinac.exe Bedamd32.exe File created C:\Windows\SysWOW64\Fcphaglh.dll Dkeoongd.exe File created C:\Windows\SysWOW64\Oengjm32.dll Jmlfmn32.exe File created C:\Windows\SysWOW64\Oknhdjko.exe Oddphp32.exe File created C:\Windows\SysWOW64\Kmpnop32.dll Fbfjkj32.exe File created C:\Windows\SysWOW64\Ogdhik32.exe Oqkpmaif.exe File opened for modification C:\Windows\SysWOW64\Ogdhik32.exe Oqkpmaif.exe File created C:\Windows\SysWOW64\Godgdfic.dll Pimkbbpi.exe File created C:\Windows\SysWOW64\Djmiejji.exe Dgnminke.exe File created C:\Windows\SysWOW64\Ecjgio32.exe Empomd32.exe File created C:\Windows\SysWOW64\Nklopg32.exe Macjgadf.exe File opened for modification C:\Windows\SysWOW64\Oqkpmaif.exe Oknhdjko.exe File created C:\Windows\SysWOW64\Geogecdd.dll Aejnfe32.exe File created C:\Windows\SysWOW64\Endjeihi.dll Cdpdnpif.exe File opened for modification C:\Windows\SysWOW64\Eifobe32.exe Efhcej32.exe File created C:\Windows\SysWOW64\Mlglpa32.dll Mpkhoj32.exe File created C:\Windows\SysWOW64\Jmflbo32.dll Oqkpmaif.exe File created C:\Windows\SysWOW64\Ehbgahjb.dll Ablbjj32.exe File created C:\Windows\SysWOW64\Dklepmal.exe Dcemnopj.exe File created C:\Windows\SysWOW64\Oqojhp32.exe Onamle32.exe File created C:\Windows\SysWOW64\Bdinnqon.exe Bnofaf32.exe File created C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe File created C:\Windows\SysWOW64\Eifobe32.exe Efhcej32.exe File created C:\Windows\SysWOW64\Ieoeff32.dll Efhcej32.exe File opened for modification C:\Windows\SysWOW64\Njchfc32.exe Ngeljh32.exe File created C:\Windows\SysWOW64\Ojdlmb32.dll Dklepmal.exe File opened for modification C:\Windows\SysWOW64\Eiilge32.exe Ebockkal.exe File created C:\Windows\SysWOW64\Dkeoongd.exe Dhgccbhp.exe File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fedfgejh.exe File created C:\Windows\SysWOW64\Bdjkbh32.dll Jecnnk32.exe File created C:\Windows\SysWOW64\Oqkpmaif.exe Oknhdjko.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Plbmom32.exe File created C:\Windows\SysWOW64\Offqpg32.dll Qlggjlep.exe File opened for modification C:\Windows\SysWOW64\Dfhgggim.exe Dbmkfh32.exe File created C:\Windows\SysWOW64\Gdfqnhjl.dll Nfjildbp.exe File opened for modification C:\Windows\SysWOW64\Ofobgc32.exe Oodjjign.exe File created C:\Windows\SysWOW64\Dcemnopj.exe Djmiejji.exe File opened for modification C:\Windows\SysWOW64\Cnflae32.exe Ckhpejbf.exe File created C:\Windows\SysWOW64\Jbaajccm.dll Dochelmj.exe File created C:\Windows\SysWOW64\Ldpnoj32.exe Lpaehl32.exe File created C:\Windows\SysWOW64\Ipbolili.dll Pbepkh32.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Ldpnoj32.exe File opened for modification C:\Windows\SysWOW64\Qlggjlep.exe Qdpohodn.exe File created C:\Windows\SysWOW64\Kgagag32.dll Ajnqphhe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2480 2472 WerFault.exe 176 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clilmbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebockkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnqphhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfekec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfjmake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmqcmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjildbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdpohodn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdfmbjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihpmnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofobgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdnpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbpehpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmmbqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajldkhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khojcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpikik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadobccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboglhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmocbnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbepkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljbqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjalhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqhdmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgecq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkhoj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ddca3db8deab743d856ad9fe47934e50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albjnplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joomjp32.dll" Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojceef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfaqfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnoim32.dll" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgldklaj.dll" Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhcjhd.dll" Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpfl32.dll" Oqmmbqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkcdb32.dll" Amafgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll" Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikonfbfj.dll" Ojceef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobbcpoc.dll" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmod32.dll" Jmocbnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godgdfic.dll" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccqhdmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oknhdjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baclaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcmnk32.dll" Adblnnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngbpehpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agflga32.dll" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmflbo32.dll" Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll" Bdinnqon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcfdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiabmg32.dll" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afiganaa.dll" Pjhnqfla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfagoln.dll" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophppo32.dll" Baclaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknida32.dll" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejnfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Appbcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklepmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekbn32.dll" Ofobgc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 624 wrote to memory of 2616 624 ddca3db8deab743d856ad9fe47934e50N.exe 30 PID 624 wrote to memory of 2616 624 ddca3db8deab743d856ad9fe47934e50N.exe 30 PID 624 wrote to memory of 2616 624 ddca3db8deab743d856ad9fe47934e50N.exe 30 PID 624 wrote to memory of 2616 624 ddca3db8deab743d856ad9fe47934e50N.exe 30 PID 2616 wrote to memory of 2788 2616 Jmlfmn32.exe 31 PID 2616 wrote to memory of 2788 2616 Jmlfmn32.exe 31 PID 2616 wrote to memory of 2788 2616 Jmlfmn32.exe 31 PID 2616 wrote to memory of 2788 2616 Jmlfmn32.exe 31 PID 2788 wrote to memory of 2948 2788 Jecnnk32.exe 32 PID 2788 wrote to memory of 2948 2788 Jecnnk32.exe 32 PID 2788 wrote to memory of 2948 2788 Jecnnk32.exe 32 PID 2788 wrote to memory of 2948 2788 Jecnnk32.exe 32 PID 2948 wrote to memory of 2612 2948 Jfekec32.exe 33 PID 2948 wrote to memory of 2612 2948 Jfekec32.exe 33 PID 2948 wrote to memory of 2612 2948 Jfekec32.exe 33 PID 2948 wrote to memory of 2612 2948 Jfekec32.exe 33 PID 2612 wrote to memory of 2536 2612 Jmocbnop.exe 34 PID 2612 wrote to memory of 2536 2612 Jmocbnop.exe 34 PID 2612 wrote to memory of 2536 2612 Jmocbnop.exe 34 PID 2612 wrote to memory of 2536 2612 Jmocbnop.exe 34 PID 2536 wrote to memory of 2168 2536 Kihpmnbb.exe 35 PID 2536 wrote to memory of 2168 2536 Kihpmnbb.exe 35 PID 2536 wrote to memory of 2168 2536 Kihpmnbb.exe 35 PID 2536 wrote to memory of 2168 2536 Kihpmnbb.exe 35 PID 2168 wrote to memory of 660 2168 Kbbakc32.exe 36 PID 2168 wrote to memory of 660 2168 Kbbakc32.exe 36 PID 2168 wrote to memory of 660 2168 Kbbakc32.exe 36 PID 2168 wrote to memory of 660 2168 Kbbakc32.exe 36 PID 660 wrote to memory of 572 660 Khojcj32.exe 37 PID 660 wrote to memory of 572 660 Khojcj32.exe 37 PID 660 wrote to memory of 572 660 Khojcj32.exe 37 PID 660 wrote to memory of 572 660 Khojcj32.exe 37 PID 572 wrote to memory of 2208 572 Lajkbp32.exe 38 PID 572 wrote to memory of 2208 572 Lajkbp32.exe 38 PID 572 wrote to memory of 2208 572 Lajkbp32.exe 38 PID 572 wrote to memory of 2208 572 Lajkbp32.exe 38 PID 2208 wrote to memory of 2708 2208 Lkbpke32.exe 39 PID 2208 wrote to memory of 2708 2208 Lkbpke32.exe 39 PID 2208 wrote to memory of 2708 2208 Lkbpke32.exe 39 PID 2208 wrote to memory of 2708 2208 Lkbpke32.exe 39 PID 2708 wrote to memory of 2912 2708 Lophacfl.exe 40 PID 2708 wrote to memory of 2912 2708 Lophacfl.exe 40 PID 2708 wrote to memory of 2912 2708 Lophacfl.exe 40 PID 2708 wrote to memory of 2912 2708 Lophacfl.exe 40 PID 2912 wrote to memory of 1680 2912 Lpaehl32.exe 41 PID 2912 wrote to memory of 1680 2912 Lpaehl32.exe 41 PID 2912 wrote to memory of 1680 2912 Lpaehl32.exe 41 PID 2912 wrote to memory of 1680 2912 Lpaehl32.exe 41 PID 1680 wrote to memory of 1492 1680 Ldpnoj32.exe 42 PID 1680 wrote to memory of 1492 1680 Ldpnoj32.exe 42 PID 1680 wrote to memory of 1492 1680 Ldpnoj32.exe 42 PID 1680 wrote to memory of 1492 1680 Ldpnoj32.exe 42 PID 1492 wrote to memory of 1684 1492 Lilfgq32.exe 43 PID 1492 wrote to memory of 1684 1492 Lilfgq32.exe 43 PID 1492 wrote to memory of 1684 1492 Lilfgq32.exe 43 PID 1492 wrote to memory of 1684 1492 Lilfgq32.exe 43 PID 1684 wrote to memory of 2344 1684 Mpikik32.exe 44 PID 1684 wrote to memory of 2344 1684 Mpikik32.exe 44 PID 1684 wrote to memory of 2344 1684 Mpikik32.exe 44 PID 1684 wrote to memory of 2344 1684 Mpikik32.exe 44 PID 2344 wrote to memory of 1000 2344 Meecaa32.exe 45 PID 2344 wrote to memory of 1000 2344 Meecaa32.exe 45 PID 2344 wrote to memory of 1000 2344 Meecaa32.exe 45 PID 2344 wrote to memory of 1000 2344 Meecaa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddca3db8deab743d856ad9fe47934e50N.exe"C:\Users\Admin\AppData\Local\Temp\ddca3db8deab743d856ad9fe47934e50N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe34⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe37⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe44⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe63⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe69⤵PID:2828
-
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe70⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe72⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe75⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe80⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe91⤵PID:2180
-
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe92⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe93⤵PID:1908
-
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe94⤵PID:3000
-
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe95⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe96⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe99⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe100⤵PID:2076
-
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe113⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe120⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe121⤵PID:2980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-