Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 00:58
Static task
static1
Behavioral task
behavioral1
Sample
8c8e53fa72605564b5a604255a5b4810N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8c8e53fa72605564b5a604255a5b4810N.exe
Resource
win10v2004-20240802-en
General
-
Target
8c8e53fa72605564b5a604255a5b4810N.exe
-
Size
346KB
-
MD5
8c8e53fa72605564b5a604255a5b4810
-
SHA1
5cb36ac404ef89faa10a9c935f80be039f35229c
-
SHA256
8fcc6ecf458796bd2522e61adcd8b55ccafd31877beaa2c423215058f2f960c7
-
SHA512
ff16d2091bb860fb3a8190a55adc0bc2bfd83a90f4582dea430fb8cd114e89ee21d2caea8826eb2dc17c160423c086b4bcf6ddfddf6f0a4c37515ff0dcec9d60
-
SSDEEP
6144:dQlO76EsmhdsFj5t13LJhrmMsFj5tzOvfFOM:ylyRhds15tFrls15tz4FT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjokd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmoafdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjjeieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapgdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcgpihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biklho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfaigclq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeiqgkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidcpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qapnmopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfaddk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkaiphj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qapnmopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfaigclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmhcaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajaelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajaelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdolgfbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcebe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adepji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajohfcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljehpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmoafdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfjjpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afappe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmolc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babcil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmkgmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkfbcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 8c8e53fa72605564b5a604255a5b4810N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfbbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagdnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgmoigj.exe -
Executes dropped EXE 64 IoCs
pid Process 4360 Qppaclio.exe 5100 Qfjjpf32.exe 4444 Qapnmopa.exe 1512 Qikbaaml.exe 4424 Aabkbono.exe 4544 Apeknk32.exe 4228 Abcgjg32.exe 4800 Ajjokd32.exe 3700 Aadghn32.exe 2624 Apggckbf.exe 3904 Afappe32.exe 2676 Aiplmq32.exe 4676 Aagdnn32.exe 1008 Adepji32.exe 2188 Ajohfcpj.exe 3264 Amnebo32.exe 4872 Adgmoigj.exe 4212 Ajaelc32.exe 2992 Aidehpea.exe 2204 Aalmimfd.exe 3020 Adjjeieh.exe 2408 Afhfaddk.exe 4612 Bigbmpco.exe 4416 Bpqjjjjl.exe 1108 Bboffejp.exe 2796 Bfkbfd32.exe 2360 Biiobo32.exe 908 Bapgdm32.exe 696 Bpcgpihi.exe 1772 Bbaclegm.exe 2392 Bfmolc32.exe 4448 Biklho32.exe 2968 Babcil32.exe 8 Bdapehop.exe 2012 Bbdpad32.exe 1872 Bkkhbb32.exe 1740 Bmidnm32.exe 1116 Baepolni.exe 3112 Bdcmkgmm.exe 1936 Bfaigclq.exe 3612 Bkmeha32.exe 4484 Bmladm32.exe 3952 Bpjmph32.exe 3708 Bdeiqgkj.exe 2744 Bgdemb32.exe 3948 Cibain32.exe 3124 Cajjjk32.exe 5160 Cpljehpo.exe 5192 Cbkfbcpb.exe 5236 Cgfbbb32.exe 5276 Cienon32.exe 5312 Calfpk32.exe 5360 Cdjblf32.exe 5392 Cgiohbfi.exe 5432 Ckdkhq32.exe 5472 Cmbgdl32.exe 5520 Cancekeo.exe 5560 Cdmoafdb.exe 5592 Ccppmc32.exe 5632 Ckggnp32.exe 5672 Cmedjl32.exe 5716 Cpcpfg32.exe 5752 Cdolgfbp.exe 5792 Cgmhcaac.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aidehpea.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Ilpgfc32.dll Bbaclegm.exe File created C:\Windows\SysWOW64\Bpcgpihi.exe Bapgdm32.exe File created C:\Windows\SysWOW64\Dodebo32.dll Ccppmc32.exe File created C:\Windows\SysWOW64\Ddcebe32.exe Daeifj32.exe File opened for modification C:\Windows\SysWOW64\Bboffejp.exe Bpqjjjjl.exe File created C:\Windows\SysWOW64\Fnihje32.dll Bpqjjjjl.exe File opened for modification C:\Windows\SysWOW64\Bapgdm32.exe Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Aidehpea.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Cbkfbcpb.exe Cpljehpo.exe File opened for modification C:\Windows\SysWOW64\Cgiohbfi.exe Cdjblf32.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Cancekeo.exe File created C:\Windows\SysWOW64\Mfnlgh32.dll Cdolgfbp.exe File created C:\Windows\SysWOW64\Adepji32.exe Aagdnn32.exe File created C:\Windows\SysWOW64\Ajohfcpj.exe Adepji32.exe File created C:\Windows\SysWOW64\Bdapehop.exe Babcil32.exe File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe Cpljehpo.exe File opened for modification C:\Windows\SysWOW64\Qppaclio.exe 8c8e53fa72605564b5a604255a5b4810N.exe File opened for modification C:\Windows\SysWOW64\Qfjjpf32.exe Qppaclio.exe File created C:\Windows\SysWOW64\Aabkbono.exe Qikbaaml.exe File created C:\Windows\SysWOW64\Biklho32.exe Bfmolc32.exe File created C:\Windows\SysWOW64\Pknjieep.dll Cibain32.exe File created C:\Windows\SysWOW64\Qecffhdo.dll Calfpk32.exe File created C:\Windows\SysWOW64\Bigpblgh.dll Dgpeha32.exe File created C:\Windows\SysWOW64\Qppaclio.exe 8c8e53fa72605564b5a604255a5b4810N.exe File created C:\Windows\SysWOW64\Ncmkcc32.dll Apggckbf.exe File opened for modification C:\Windows\SysWOW64\Afhfaddk.exe Adjjeieh.exe File created C:\Windows\SysWOW64\Olqjha32.dll Aagdnn32.exe File opened for modification C:\Windows\SysWOW64\Ajohfcpj.exe Adepji32.exe File opened for modification C:\Windows\SysWOW64\Bpqjjjjl.exe Bigbmpco.exe File created C:\Windows\SysWOW64\Cgmhcaac.exe Cdolgfbp.exe File created C:\Windows\SysWOW64\Leeigm32.dll Qapnmopa.exe File opened for modification C:\Windows\SysWOW64\Bdapehop.exe Babcil32.exe File created C:\Windows\SysWOW64\Bcidlo32.dll Cbkfbcpb.exe File created C:\Windows\SysWOW64\Eafbac32.dll Cienon32.exe File created C:\Windows\SysWOW64\Dkkaiphj.exe Dgpeha32.exe File created C:\Windows\SysWOW64\Mbddol32.dll Ckggnp32.exe File created C:\Windows\SysWOW64\Hmafal32.dll Bmidnm32.exe File opened for modification C:\Windows\SysWOW64\Ckidcpjl.exe Cgmhcaac.exe File created C:\Windows\SysWOW64\Lpphjbnh.dll Baepolni.exe File created C:\Windows\SysWOW64\Cpcpfg32.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Ckjfdocc.dll Apeknk32.exe File opened for modification C:\Windows\SysWOW64\Biiobo32.exe Bfkbfd32.exe File created C:\Windows\SysWOW64\Aldclhie.dll Bbdpad32.exe File created C:\Windows\SysWOW64\Ldfakpfj.dll Aalmimfd.exe File created C:\Windows\SysWOW64\Bfaigclq.exe Bdcmkgmm.exe File created C:\Windows\SysWOW64\Lljoca32.dll Cmgqpkip.exe File opened for modification C:\Windows\SysWOW64\Abcgjg32.exe Apeknk32.exe File created C:\Windows\SysWOW64\Ifcmmg32.dll Bkkhbb32.exe File opened for modification C:\Windows\SysWOW64\Bdeiqgkj.exe Bpjmph32.exe File created C:\Windows\SysWOW64\Mgqaip32.dll Dkkaiphj.exe File opened for modification C:\Windows\SysWOW64\Dcffnbee.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Eiahpo32.dll Cdjblf32.exe File created C:\Windows\SysWOW64\Cancekeo.exe Cmbgdl32.exe File created C:\Windows\SysWOW64\Qfjjpf32.exe Qppaclio.exe File created C:\Windows\SysWOW64\Gpeipb32.dll Adepji32.exe File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe Cbkfbcpb.exe File opened for modification C:\Windows\SysWOW64\Bmidnm32.exe Bkkhbb32.exe File created C:\Windows\SysWOW64\Qahlom32.dll Dgbanq32.exe File created C:\Windows\SysWOW64\Bboffejp.exe Bpqjjjjl.exe File created C:\Windows\SysWOW64\Biiobo32.exe Bfkbfd32.exe File opened for modification C:\Windows\SysWOW64\Bbdpad32.exe Bdapehop.exe File created C:\Windows\SysWOW64\Adjjeieh.exe Aalmimfd.exe File created C:\Windows\SysWOW64\Afhfaddk.exe Adjjeieh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4468 4500 WerFault.exe 167 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjjeieh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapgdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baepolni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkaiphj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjmekgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcffnbee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjokd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidehpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckidcpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cienon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdolgfbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmhcaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppaclio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiplmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajohfcpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcgpihi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqnjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabkbono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdapehop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkfbcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c8e53fa72605564b5a604255a5b4810N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcgjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfaigclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apggckbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboffejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpljehpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adepji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcpfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccppmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgqpkip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calfpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgiohbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfjjpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhfaddk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigbmpco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqjjjjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcmkgmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afappe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnebo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgmoigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalmimfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biklho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmidnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdeiqgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qapnmopa.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll" Dcffnbee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoomp32.dll" Adgmoigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll" Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeiqgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpcpfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldaec32.dll" Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afappe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilcjbag.dll" Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkehj32.dll" Ajaelc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpljehpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qapnmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfmlghd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkaiphj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigbmpco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll" Cmbgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll" Cgmhcaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 8c8e53fa72605564b5a604255a5b4810N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afhfaddk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll" Qfjjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll" Cpfmlghd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdaile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabkbono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adepji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgiohbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll" Ckdkhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bapgdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcmkgmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgmoigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfjjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll" Ckidcpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" Dgpeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfmlghd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjjeieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll" Bpcgpihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll" Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcmkgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll" Daeifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkdeeod.dll" Qppaclio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qapnmopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeknk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 400 wrote to memory of 4360 400 8c8e53fa72605564b5a604255a5b4810N.exe 91 PID 400 wrote to memory of 4360 400 8c8e53fa72605564b5a604255a5b4810N.exe 91 PID 400 wrote to memory of 4360 400 8c8e53fa72605564b5a604255a5b4810N.exe 91 PID 4360 wrote to memory of 5100 4360 Qppaclio.exe 92 PID 4360 wrote to memory of 5100 4360 Qppaclio.exe 92 PID 4360 wrote to memory of 5100 4360 Qppaclio.exe 92 PID 5100 wrote to memory of 4444 5100 Qfjjpf32.exe 94 PID 5100 wrote to memory of 4444 5100 Qfjjpf32.exe 94 PID 5100 wrote to memory of 4444 5100 Qfjjpf32.exe 94 PID 4444 wrote to memory of 1512 4444 Qapnmopa.exe 95 PID 4444 wrote to memory of 1512 4444 Qapnmopa.exe 95 PID 4444 wrote to memory of 1512 4444 Qapnmopa.exe 95 PID 1512 wrote to memory of 4424 1512 Qikbaaml.exe 96 PID 1512 wrote to memory of 4424 1512 Qikbaaml.exe 96 PID 1512 wrote to memory of 4424 1512 Qikbaaml.exe 96 PID 4424 wrote to memory of 4544 4424 Aabkbono.exe 97 PID 4424 wrote to memory of 4544 4424 Aabkbono.exe 97 PID 4424 wrote to memory of 4544 4424 Aabkbono.exe 97 PID 4544 wrote to memory of 4228 4544 Apeknk32.exe 98 PID 4544 wrote to memory of 4228 4544 Apeknk32.exe 98 PID 4544 wrote to memory of 4228 4544 Apeknk32.exe 98 PID 4228 wrote to memory of 4800 4228 Abcgjg32.exe 99 PID 4228 wrote to memory of 4800 4228 Abcgjg32.exe 99 PID 4228 wrote to memory of 4800 4228 Abcgjg32.exe 99 PID 4800 wrote to memory of 3700 4800 Ajjokd32.exe 100 PID 4800 wrote to memory of 3700 4800 Ajjokd32.exe 100 PID 4800 wrote to memory of 3700 4800 Ajjokd32.exe 100 PID 3700 wrote to memory of 2624 3700 Aadghn32.exe 101 PID 3700 wrote to memory of 2624 3700 Aadghn32.exe 101 PID 3700 wrote to memory of 2624 3700 Aadghn32.exe 101 PID 2624 wrote to memory of 3904 2624 Apggckbf.exe 102 PID 2624 wrote to memory of 3904 2624 Apggckbf.exe 102 PID 2624 wrote to memory of 3904 2624 Apggckbf.exe 102 PID 3904 wrote to memory of 2676 3904 Afappe32.exe 103 PID 3904 wrote to memory of 2676 3904 Afappe32.exe 103 PID 3904 wrote to memory of 2676 3904 Afappe32.exe 103 PID 2676 wrote to memory of 4676 2676 Aiplmq32.exe 104 PID 2676 wrote to memory of 4676 2676 Aiplmq32.exe 104 PID 2676 wrote to memory of 4676 2676 Aiplmq32.exe 104 PID 4676 wrote to memory of 1008 4676 Aagdnn32.exe 105 PID 4676 wrote to memory of 1008 4676 Aagdnn32.exe 105 PID 4676 wrote to memory of 1008 4676 Aagdnn32.exe 105 PID 1008 wrote to memory of 2188 1008 Adepji32.exe 106 PID 1008 wrote to memory of 2188 1008 Adepji32.exe 106 PID 1008 wrote to memory of 2188 1008 Adepji32.exe 106 PID 2188 wrote to memory of 3264 2188 Ajohfcpj.exe 107 PID 2188 wrote to memory of 3264 2188 Ajohfcpj.exe 107 PID 2188 wrote to memory of 3264 2188 Ajohfcpj.exe 107 PID 3264 wrote to memory of 4872 3264 Amnebo32.exe 108 PID 3264 wrote to memory of 4872 3264 Amnebo32.exe 108 PID 3264 wrote to memory of 4872 3264 Amnebo32.exe 108 PID 4872 wrote to memory of 4212 4872 Adgmoigj.exe 109 PID 4872 wrote to memory of 4212 4872 Adgmoigj.exe 109 PID 4872 wrote to memory of 4212 4872 Adgmoigj.exe 109 PID 4212 wrote to memory of 2992 4212 Ajaelc32.exe 110 PID 4212 wrote to memory of 2992 4212 Ajaelc32.exe 110 PID 4212 wrote to memory of 2992 4212 Ajaelc32.exe 110 PID 2992 wrote to memory of 2204 2992 Aidehpea.exe 111 PID 2992 wrote to memory of 2204 2992 Aidehpea.exe 111 PID 2992 wrote to memory of 2204 2992 Aidehpea.exe 111 PID 2204 wrote to memory of 3020 2204 Aalmimfd.exe 112 PID 2204 wrote to memory of 3020 2204 Aalmimfd.exe 112 PID 2204 wrote to memory of 3020 2204 Aalmimfd.exe 112 PID 3020 wrote to memory of 2408 3020 Adjjeieh.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c8e53fa72605564b5a604255a5b4810N.exe"C:\Users\Admin\AppData\Local\Temp\8c8e53fa72605564b5a604255a5b4810N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Amnebo32.exeC:\Windows\system32\Amnebo32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Afhfaddk.exeC:\Windows\system32\Afhfaddk.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Windows\SysWOW64\Bdeiqgkj.exeC:\Windows\system32\Bdeiqgkj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5880 -
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe68⤵
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe69⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4844 -
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe76⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Diqnjl32.exeC:\Windows\system32\Diqnjl32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 40078⤵
- Program crash
PID:4468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 45001⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:81⤵PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
346KB
MD53bd471729233d4fd89972146de33dd29
SHA129324ca5ddd1e545258884af6f3fcb37fbdbb7a8
SHA2564391cb0499f07942ea1e12d10ad4b702d036bb77ed4cf1f36d77bfeb201ba438
SHA512671f1935780961f216659927f6b25a134152ef4b9473d8068eb764716bb8ec46a66ce2eea55813e57064c6e8c31f0804694cadff10d111a839ec7e57733c4bce
-
Filesize
346KB
MD598f35274794fb9c6f3d0bc93f4d16a67
SHA11743c4cb1d53b3d094c2f1db315490f6347827a0
SHA25633868f8e870b641248524ad645671997a8c1ee6ac6ca6b990941f923669c5304
SHA512d5bdfb554861d80f83ae08a2d8cda3860dffccdfffe208fea16b6889f29a6d7b18eba854f7e4aa4a8508cc48f139d184ce8de94a2bba654c58a57b4e45b8f66a
-
Filesize
346KB
MD521f5bf80e19cc234a4dbb0a2df3b4922
SHA113139a1c2d1430d735c3b7cd15fa07e543d911c9
SHA2563dabb3ce13b9c51f68c7f6f8ede8c363fe14e2adb214288a0ac158af355776c4
SHA512958631c02b1156025153543623aa2025644f6c625a9d03f2359836d0c351ef68b34f9129889590481049c893966963f323debdaba4ca74e296572c3c59cbc54f
-
Filesize
346KB
MD5f92da7eec22f1476a51efc921d2a36e7
SHA1194d67249192321bb9d6170100de932de47faef2
SHA2569246a59c0aee1c8c8adf6faef862731b396a15f37517d365fa09f8d8e54086c7
SHA51223606a0e969d6ada067a1e39f1abe0930cfef50e0d94be75e2e22c30f7a655fa2dba40900800f5e798ec6a1d476d0c770ba367ad02ae952595268b8ba08b4f13
-
Filesize
346KB
MD50e4c5694df384c90d085c945f7e9a95c
SHA1d81933bfcd74d4a4b1a04f0770560f8c97681695
SHA25604ee7e2ad8a47f4eaea92b4ca42aecca27c589ccb24fa8ebe0cb9b6882f874fa
SHA512083582f29c6c1046068b7b49ae6015d2be16fb3927ca9d4d25083e6db0d49c9b9c7d6985e2f63f751adb89aa36e2b3c6365136ffe40cb35e155c8a28d22871e6
-
Filesize
346KB
MD5a22887428d085dbcc6a5716fad65f6d8
SHA1f431580108e138b083f3d9277d6c814f1f73ab79
SHA25693f99edc54abc6d1c808690f109218abc1ca4f4bc72ea23f82490a569b62db8a
SHA512e7605c9ed1da71f2f3bb01d834b1b83a56a37179f78aaa95873c6fe514d4ec3b82aa5c29ebad0abf5e6a296148d923d541bbf2e42e025e8e112e9348396a4741
-
Filesize
346KB
MD55421c60a6bf5d70d66de8a819ae91265
SHA15d1cfcda5a2b41c18de1b053dd8e384ce9b418e2
SHA256aec8733d0bcd2b1d0d3ba812d8339ad777bf2e22eeace7d908145f9f4d77604d
SHA5128578281b49b3ee9ff9cbf69a5fc10760375fcefabee10af33aa9f0727f8280005d82dc0556ef08ddb889bcd1ba965f7ed302bbbc2e7600cc7a696a0f9b08fb6a
-
Filesize
346KB
MD5f602ad89353e959a2ee4680bf4a5e596
SHA133a69c63f5c5fad438b2919ad3ac94f3f858e81a
SHA256cd9703af10f27ff1aa84fc6b89f18ee11331cee3c7900174c3f425e4d13aa41e
SHA5125b3d1a1c6405f9c5b8aa06aff15620e72928e9ed1612c3ee899a84fd35be5563af3dc117f32016b3c26e095e4261bcf9af26ea7189236b7919b1da9914a18fd6
-
Filesize
346KB
MD58cdbd104ea78ec75072da13810799586
SHA14a7730b4e0ef7073ce54079bef0a6d7d8b970b8f
SHA2563b67e8e342c28bf22745132d6af3156ace90c8f704e79e29563ea9820e7ec1ee
SHA512392e1661de0afeb11200bed79ab36a1c4afbbb2efd9684acfaf288ae5108f1cb69aac6771e56c9dd17b47fc6413e33386451c1b4ec7ee9b64771f8e2064ea6ce
-
Filesize
346KB
MD502c630dcfc768668b16b475ced3a51c3
SHA1a21ad2bb3299e3a1319a2a2b5e57ebe65abcdeb9
SHA2561c08263a0f63d4be2cd6a9328c9506e4460e8e1dac2a3c4c77adb1ebaefdc92c
SHA512f56fad591856f75a617c531c7425336b27fda5cf2f044f6a973632e30a3b202c669a3522756fcee4da700b28d0c50ce42f7abcc7d88aa14d76b738a470f5d2ae
-
Filesize
346KB
MD5e01f9de72fb3dc444c404c0478120e4e
SHA17543c382136669609dc809b8310f50ee57a83cad
SHA256c5178b30ab5340e1a09ee5ec7958a0301b659eed2a26cb6dcd6585a05ae3b3d9
SHA512ba637c32ba4e750721abf1c1a9980a74321f711f1b137ec2d8fcf5f65a103ca62163169ab4a46bafb30c7378141b98b21f099518dab8f485662c85acf881a4cc
-
Filesize
346KB
MD5845b4c0ff2cf5619bcbce05ef4025975
SHA16884c09618363bf825e7950ec92c91093e97e1b1
SHA256cbec674d0435d33981bd1be6cad51969579105fddc92cd938c248d9ce8fc61ef
SHA512c24c96d4d2e3e4eccad1c250d1c023b2d2e660e77443c9f8d4c24b61b00f2b734abb4c4635e48cd31cd262dca8dd3ec3566e04d2289f99f3a52eb64e5e5af192
-
Filesize
346KB
MD58b0852c20dcea60917241f9e632d9e0a
SHA1c3929f69f29c5e949b461fff02c8f1e51e55efec
SHA2567333b8915f19af6e1e20079c6a88c5f3a23e7085da0d241bb13fb216d3dbb4c6
SHA512bbdb59054f442d84c4a277ab55f594243f3cb45483c86d9cd60f9db910eb0ada5371e300f0c7365b4c35751aa72e00e84a22ebd87bcf1b97b565b438f2f492c6
-
Filesize
346KB
MD534ace5686f4d64f8d46c38c6ddef79ff
SHA1d0dceda2bbfe25167fd0888516e541da3b07d5dc
SHA256aaaab9e1820dba0c6b83d4829312a4614fc2eaeab8090d9c4df0fadabafa5bbc
SHA512cce4a09f8a8fcae53f93a479e336496533e2fab4f177cb059438e484a76ae2323a140ad59774a7a4d195af139a19fdff4f692da9790088ec58c133c2dc3ae91e
-
Filesize
346KB
MD5b406de41d6d048940191115b7a5801fc
SHA13389dfec96a29f972d396596a2cc07aa6ac536f3
SHA256e41af391b741fff059b62990e297ca2d855532640142bc540058736591482d4e
SHA512d2021cb12f19bde7f658d8c8ee869b52835c649eaa6b0381705062096a12279efe28b0cbe7de4b4f148725d661c6699daadcd759b4ca1ff350d99151fbd5c60e
-
Filesize
346KB
MD5a12468f5276a6de44cae1a75bed10675
SHA18e03811fd40de9a8dd7c760b6489a60575b56aaf
SHA2564441459de67ec3036b5b328fbb7df3dd3c465bba225d078ebff54cd2ea6f7509
SHA512a052268ed3ab11fd92ca87bf8ed70dd1ad0b8a3ac1b8717576f100527d570e8cef85a0bd4352431151bd25f02d8173b6c789b353b04f2d2027ec37f73b7edef3
-
Filesize
346KB
MD56a9bf0b1e1453db4889783d58c0957fb
SHA13a268914d6bd5b1f22ec33932a0de731e15dff6f
SHA256d7d318a29073caa22079cb1ffa8723f23374bc182316035ebbe0b8f917e3427f
SHA5129dbf2fc4cf22fb6beddcf25a8f0499d5d3d032515279b6dc1a619a6f81d5a808db1601565c9d58a7c7299faab054c4d1d190a180e56a626c79daf2d135b137ec
-
Filesize
346KB
MD5284f7476233241fb12ec9b287e29d8a0
SHA1d10e2e4a95f5f2841d6a909ef393739bbcb0cd78
SHA256817cac8519464a7effbe0a802fa6a47fe65778d273f6daffc055a209c29d169b
SHA51274b97153fc70c67cf3f05c2932af043f06e28675fd6fd5814f53b758c2c34ecf197a744bab233f10d92f5fb95a0d368bae395c0dcef496d860f566bf2f3d5d8d
-
Filesize
346KB
MD591123e7549d35ff97533cd5630d820f7
SHA1853bf2b50abd58347fa3392558937814f0058922
SHA25650544cd0aeeb450d6b1279d5a6559d695325a792b41f68cb2e8fff38eae08efd
SHA512e91c2dcb1f63fa3b62d7b93e9c4306e1dd6abf43adc992de6680c65dcc31052a42d8ae6bab743dabaa6bc71a0d821b19e5c189b581371e4654ffccd76a6e754f
-
Filesize
346KB
MD52d32c4ca16e3b5ba4d036d8f9d87b2d6
SHA12ae088fd1a1ec6d9af36f07862ac2d3cdfcbf136
SHA2567d0ada38badab9fde893ace16e5350d3c8c77445e8c21b67c3fc128ab9d0f5e7
SHA5122ddae1dc1cabf0d99cb37f48e3693a3d1a79239d311517b1cc0137b07cd9780fb3ab997d032744feadf6f712cb226f67869d6d86f0f91555b2f1daa4b61bb6f9
-
Filesize
346KB
MD5139b9bff5da3ad54b9eb177c91e07e9a
SHA15e25301975ee81a208bad131181d550e5c9cf87a
SHA25662c604c1184e7cb2aa01ce50d50d4cd9cb804528a64fa06fbc3d681b130f0831
SHA5127ef02c106fd37cb81c3b9644b0285ccf0f5c967a931b4b42987ef7708d77d94341b5623b4db19c3ecc831dfbabe4bcd89fc6f322d3484426c787a8513e75fbbd
-
Filesize
346KB
MD51a21cc9201ba2a6de9526cb8c198f16b
SHA1208e0c44346623dcbf1e52cac8cb2ba01bb8492c
SHA256522c757562097d97ea2699d73a7532fcd377e4b86e855810d252eda5e5ded3c9
SHA512be4f7deabacfb7dd8c3ac031497d9d6444990d90c245473be50e95f790a487be580ccb10b82e174f0b37d97074cf53a14d4eee9cfbf8b869e6258f4f277b2e64
-
Filesize
346KB
MD53fc50a019bdf1d066a17ac650fd08914
SHA142ed95e1a0f8e28d3311f88e26822f68e3a2cfaf
SHA2569f5c1641ee8b6bc6dbeb8dfb375bce81f84bdcd8b73dcea2fb5827b828b950ea
SHA51246f5601861400b9991f3b9f063d858e710d8f992b3aa600049fc51d9f4f6a7328930e6a9ee8cff82b8903722b07fad0cee608dfeacaae079ec134e17c5779077
-
Filesize
346KB
MD5d8780131f6b90c06ad3ff5aa0abe22e6
SHA14a40d9a7b986b91f5e2e7c8f00074e02a785c759
SHA2560ad13713d90939323c9ead8da1cac0245e23129bbec2ab2a20f946b4d48fe8f5
SHA5127d790f3f876953bdb47541c8559d1d4b489079a5d546b69353c19ac75f2b4b64a34464dafa8271d8f4bb1267e62b98c027ab34f6b1fe699dc0be4844171ffd44
-
Filesize
346KB
MD532b0afa215b4d02c9fa87b1627f77fb5
SHA133aac56309f517a4adc120341aa10c5fd546a13f
SHA256ee35194e6625c7a95e072a35729c95012d5dc87ec30a699bfa10cb69b3206789
SHA512a8c4f3a9bd1e4428e9934de7cc58f0620bc2a7dbd4acf8a3e85adacf4f7e25049b2e98e4eab4f0973611eb9d0a2a89f0067fb599c23e42e6e079e3e206d8cd70
-
Filesize
346KB
MD5a18fef30ed46ffd13816e74e38fc29c4
SHA1dd359047e494bafc7f45e40d59fce04364d43610
SHA256056e535b014b38f9de289c388d3b7e01d45c4e24967b1e0c063cd24378db3a0d
SHA51245f58186335e10d8d8a03d1da4c0b957d9fd11fa17fbfaf5883c5c670014365099acf4a7696018d578559854bc70670d280da3dc1e12ca91838fdf3904ccdd4c
-
Filesize
346KB
MD5387527438b6e7705bcf86469871897ba
SHA1d3a23f7d348cdcbd597a2a2f2f9fcc6a049638de
SHA256ec8e7dc1f9dad2f7c683f6f032d35e2609e3e9a7c3f0e827ad4dad7dd2e9d2bb
SHA5126d68bb238a461cbaff8728ffa9bba1e668ad5e72e78543c8ba247f50479ade368f59b1bb899e659060176cd67c76e35ddc1d9fffec7230a950556f0de8a4328c
-
Filesize
346KB
MD56fd60d122dee9abd94d9a3ebab0f6f02
SHA11f81a0fa0abb031b3bd012a5a9863e93ccc84728
SHA2561bcde1b3cc0ecd662459550b94585e5a6416ddb5d7c283b28f2ac5b5229f6304
SHA51207ae90efe38a59a8997ac83aa82ee95fe3d1233811319227c790a400c7a34c407d5213075b4e82ec407a699a034bc5371c1cb5c3aeee20cbaaabc5810ffb091a
-
Filesize
346KB
MD5f319d4d96962c33a4dcabfbfee381cb1
SHA168424966f18a21bf146f3f66dc4dc11bbfbf64c4
SHA256e3d177fe86a0a8b45a0934391dc0365423091d30ee1910c61682ac3f979805a9
SHA5129ced8232ac642a815ba84761db3c25d25c15402ec83cc70eb57b261f84025d8e9f50f1c279afa76c3a187db198343986d090216194043616d6962610b8876fb2
-
Filesize
346KB
MD53abed3e452c3adcb9c9517884c45422c
SHA10f9092da6d0b4fdc7da25cb1f42c5999d2e15f73
SHA2568d3e1190fbe511bc837f2e21c6fb1864dfd393636182bfdd4d3997571ad5169c
SHA51291f793be67d58e974213c7464c58a88d286a493348d1007a1fa1e90c4908219f996934bc092810485475a52d71a9e185e32c41ba31ba9d0fd25e23baa3c77e6e
-
Filesize
346KB
MD50a1114cd45704574511e90e01f320063
SHA19b30d7888f5a8f16b4949eed06742c57db53f173
SHA256db07bf5e83591d7cc251ab04f6dcb595b6bb163320e3417de6d37cf071e57e1b
SHA512900c7bf04ece4fb7734bf75a8f12c868c109755c25eac440f1590da4b25286c98ab1f5620d1c6deef51c18a1361b0cc25dc0d317ac68ab7112ccc364fa4346f5
-
Filesize
346KB
MD50d50a03c7fc1650e86a6a34c4933b274
SHA1413211a48a33c9605d7f72fbd684e65cc2dbe9b6
SHA256340e6ffd60f658f54ff5185ea086e8c988a4f4a739fb41d207725bf1863a61b3
SHA5127f3008165e7dc150d1ef4a3aadba82ea6e3000d5c7cbf2c894fed0f28f0bb0a14b5c174edc12e0c98ac78d4ba82f9e83706a708a2366e0b07876a7e2bbdbc2cd