Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe
-
Size
160KB
-
MD5
007e231c0cf1cf0730ce0222added1c0
-
SHA1
7f7355e7e3898fbdcc4bd1b740c7cd319a5366d5
-
SHA256
60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c
-
SHA512
b3818f4a85401fb3e23384196f5b2968b659f2832f0057145b38a8c8434dcbcfedf6e7844d640758be42d0767c5d31ecdadb7ff141f8598bc3fc16478811dc84
-
SSDEEP
3072:vd/sOIai4nxqaQwQ4dnzrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr/rrgrrrrrrM:vdrIai4nxqaQwQ4dnzrrrrrrrrrrrrrn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fillabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqajqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnoaliln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjfpkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcedbefd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onqaonnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojakdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdajff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflkiapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjhig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoqfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapfmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qechqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emilqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklhca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfmdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhkhnel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bambjnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qibhao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnodjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhpddbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkbcpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlqpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomndhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdkajic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgaan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhigo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhookh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjqpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoqlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoqfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qechqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhkhnel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkolblkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmhij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lielphqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmnnakm.exe -
Executes dropped EXE 64 IoCs
pid Process 1972 Ekblplgo.exe 2780 Emailhfb.exe 2896 Edmnnakm.exe 2960 Fdpjcaij.exe 1264 Fgqcel32.exe 1624 Folhio32.exe 2132 Fcjqpm32.exe 2380 Foqadnpq.exe 2732 Gnenfjdh.exe 1512 Gpfggeai.exe 956 Gafcahil.exe 2552 Gqkqbe32.exe 1448 Gnoaliln.exe 2068 Hfjfpkji.exe 2248 Hjhofj32.exe 2076 Hklhca32.exe 2548 Hojqjp32.exe 2180 Hibebeqb.exe 1096 Hnomkloi.exe 1536 Iggbdb32.exe 1076 Iapfmg32.exe 1116 Iabcbg32.exe 904 Ijjgkmqh.exe 1924 Ibeloo32.exe 2140 Ilnqhddd.exe 1720 Jplinckj.exe 2740 Jffakm32.exe 1588 Jlegic32.exe 2640 Jaaoakmc.exe 2904 Jephgi32.exe 2656 Jjlqpp32.exe 2816 Khpaidpk.exe 2052 Kbjbibli.exe 1692 Kghkppbp.exe 536 Kppohf32.exe 2964 Kihcakpa.exe 3024 Lohiob32.exe 1296 Lhpmhgbf.exe 736 Lednal32.exe 1700 Lhegcg32.exe 2336 Lppkgi32.exe 2292 Ljhppo32.exe 2220 Mliibj32.exe 2176 Nqijmkfm.exe 1532 Njaoeq32.exe 1100 Ombhgljn.exe 1784 Oclpdf32.exe 936 Oenmkngi.exe 2212 Opcaiggo.exe 2888 Oepianef.exe 2760 Oafjfokk.exe 2848 Ohqbbi32.exe 2056 Obffpa32.exe 2108 Odgchjhl.exe 2264 Ojakdd32.exe 1744 Phelnhnb.exe 2560 Pnodjb32.exe 2924 Pdllci32.exe 360 Pmdalo32.exe 3068 Pdnihiad.exe 2788 Pikaqppk.exe 1576 Ppejmj32.exe 2240 Pmijgn32.exe 1160 Pbfcoedi.exe -
Loads dropped DLL 64 IoCs
pid Process 560 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe 560 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe 1972 Ekblplgo.exe 1972 Ekblplgo.exe 2780 Emailhfb.exe 2780 Emailhfb.exe 2896 Edmnnakm.exe 2896 Edmnnakm.exe 2960 Fdpjcaij.exe 2960 Fdpjcaij.exe 1264 Fgqcel32.exe 1264 Fgqcel32.exe 1624 Folhio32.exe 1624 Folhio32.exe 2132 Fcjqpm32.exe 2132 Fcjqpm32.exe 2380 Foqadnpq.exe 2380 Foqadnpq.exe 2732 Gnenfjdh.exe 2732 Gnenfjdh.exe 1512 Gpfggeai.exe 1512 Gpfggeai.exe 956 Gafcahil.exe 956 Gafcahil.exe 2552 Gqkqbe32.exe 2552 Gqkqbe32.exe 1448 Gnoaliln.exe 1448 Gnoaliln.exe 2068 Hfjfpkji.exe 2068 Hfjfpkji.exe 2248 Hjhofj32.exe 2248 Hjhofj32.exe 2076 Hklhca32.exe 2076 Hklhca32.exe 2548 Hojqjp32.exe 2548 Hojqjp32.exe 2180 Hibebeqb.exe 2180 Hibebeqb.exe 1096 Hnomkloi.exe 1096 Hnomkloi.exe 1536 Iggbdb32.exe 1536 Iggbdb32.exe 1076 Iapfmg32.exe 1076 Iapfmg32.exe 1116 Iabcbg32.exe 1116 Iabcbg32.exe 904 Ijjgkmqh.exe 904 Ijjgkmqh.exe 1924 Ibeloo32.exe 1924 Ibeloo32.exe 2140 Ilnqhddd.exe 2140 Ilnqhddd.exe 1720 Jplinckj.exe 1720 Jplinckj.exe 2740 Jffakm32.exe 2740 Jffakm32.exe 1588 Jlegic32.exe 1588 Jlegic32.exe 2640 Jaaoakmc.exe 2640 Jaaoakmc.exe 2904 Jephgi32.exe 2904 Jephgi32.exe 2656 Jjlqpp32.exe 2656 Jjlqpp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bkgchckl.exe Bpbokj32.exe File opened for modification C:\Windows\SysWOW64\Foqadnpq.exe Fcjqpm32.exe File opened for modification C:\Windows\SysWOW64\Lednal32.exe Lhpmhgbf.exe File created C:\Windows\SysWOW64\Clangg32.dll Fomndhng.exe File created C:\Windows\SysWOW64\Ieaekdkn.exe Fdjfmolo.exe File opened for modification C:\Windows\SysWOW64\Mkkbcpbl.exe Mdajff32.exe File opened for modification C:\Windows\SysWOW64\Pmoqfi32.exe Ofehiocd.exe File opened for modification C:\Windows\SysWOW64\Bgijbede.exe Bambjnfn.exe File created C:\Windows\SysWOW64\Oafjfokk.exe Oepianef.exe File created C:\Windows\SysWOW64\Aabfqp32.exe Akhndf32.exe File opened for modification C:\Windows\SysWOW64\Bcjhig32.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Dapnfb32.exe Djffihmp.exe File created C:\Windows\SysWOW64\Okgnna32.exe Oqajqi32.exe File opened for modification C:\Windows\SysWOW64\Fianpp32.exe Flnnfllf.exe File opened for modification C:\Windows\SysWOW64\Pdllci32.exe Pnodjb32.exe File created C:\Windows\SysWOW64\Akfalc32.dll Cohlnkeg.exe File opened for modification C:\Windows\SysWOW64\Ncbfcq32.exe Nlhnfg32.exe File created C:\Windows\SysWOW64\Nmmgafjh.exe Nbgcdmjb.exe File created C:\Windows\SysWOW64\Pihnqj32.exe Pnbjca32.exe File created C:\Windows\SysWOW64\Peooek32.exe Ppbfmdfo.exe File created C:\Windows\SysWOW64\Qbgglq32.dll Cgjjdijo.exe File opened for modification C:\Windows\SysWOW64\Liqcei32.exe Lddjmb32.exe File opened for modification C:\Windows\SysWOW64\Legcjjjm.exe Lpkkbcle.exe File opened for modification C:\Windows\SysWOW64\Pligbekc.exe Peooek32.exe File opened for modification C:\Windows\SysWOW64\Ojakdd32.exe Odgchjhl.exe File created C:\Windows\SysWOW64\Offlpgfp.dll Nmmgafjh.exe File created C:\Windows\SysWOW64\Pldnge32.exe Pifakj32.exe File created C:\Windows\SysWOW64\Lddjmb32.exe Linfpi32.exe File created C:\Windows\SysWOW64\Ogcobo32.dll Emailhfb.exe File created C:\Windows\SysWOW64\Hpamlo32.dll Ombhgljn.exe File created C:\Windows\SysWOW64\Fbdpjgjf.exe Fkmhij32.exe File opened for modification C:\Windows\SysWOW64\Cofohkgi.exe Cjifpdib.exe File created C:\Windows\SysWOW64\Flhkhnel.exe Eenckc32.exe File created C:\Windows\SysWOW64\Mqoqlfkl.exe Mjeholco.exe File opened for modification C:\Windows\SysWOW64\Qdieaf32.exe Qolmip32.exe File created C:\Windows\SysWOW64\Cblpaffb.dll Bnhljnhm.exe File opened for modification C:\Windows\SysWOW64\Gpfggeai.exe Gnenfjdh.exe File created C:\Windows\SysWOW64\Oclpdf32.exe Ombhgljn.exe File created C:\Windows\SysWOW64\Bhgaan32.exe Bcjhig32.exe File opened for modification C:\Windows\SysWOW64\Coehnecn.exe Cbagdq32.exe File created C:\Windows\SysWOW64\Hljokk32.dll Djffihmp.exe File created C:\Windows\SysWOW64\Pjpfjf32.dll Ncbfcq32.exe File opened for modification C:\Windows\SysWOW64\Gqkqbe32.exe Gafcahil.exe File opened for modification C:\Windows\SysWOW64\Jplinckj.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Fjhbihid.dll Ojakdd32.exe File opened for modification C:\Windows\SysWOW64\Qdlialfb.exe Qkcdigpa.exe File created C:\Windows\SysWOW64\Mjeholco.exe Mgglcqdk.exe File created C:\Windows\SysWOW64\Meafpibb.exe Mkkbcpbl.exe File created C:\Windows\SysWOW64\Bnipcbbg.dll Gmhmdc32.exe File opened for modification C:\Windows\SysWOW64\Alqplmlb.exe Agchdfmk.exe File opened for modification C:\Windows\SysWOW64\Bcmeogam.exe Bhgaan32.exe File created C:\Windows\SysWOW64\Fofhdidp.exe Flhkhnel.exe File opened for modification C:\Windows\SysWOW64\Dfbdje32.exe Cohlnkeg.exe File opened for modification C:\Windows\SysWOW64\Oahpahel.exe Ojnhdn32.exe File created C:\Windows\SysWOW64\Ghlell32.exe Gledgkfn.exe File created C:\Windows\SysWOW64\Cohlnkeg.exe Cjkcedgp.exe File created C:\Windows\SysWOW64\Nkchooim.dll Kihcakpa.exe File created C:\Windows\SysWOW64\Nafbcl32.dll Opcaiggo.exe File created C:\Windows\SysWOW64\Cofdbh32.dll Bhqdgm32.exe File opened for modification C:\Windows\SysWOW64\Dkolblkk.exe Dfbdje32.exe File created C:\Windows\SysWOW64\Jocnbj32.dll Dkolblkk.exe File created C:\Windows\SysWOW64\Gngcgmgi.dll Ebhani32.exe File created C:\Windows\SysWOW64\Eenckc32.exe Eodknifb.exe File created C:\Windows\SysWOW64\Mpmfdi32.dll Mknohpqj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3172 3112 WerFault.exe 259 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlkdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jephgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpaidpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fomndhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflkiapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieaekdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoqfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgglcqdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpnlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfhbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnnfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjfpkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcdigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgemgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepianef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimedaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfemdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhmdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlegic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llalgdbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmonea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghkppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbikokin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciiccbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbagdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqijmkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbhpddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnhdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmnnakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfcaegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legcjjjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhkhnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlqpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gledgkfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibebeqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhegcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhookh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabkla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajclkk32.dll" Cjifpdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohqbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpkkbcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcaebh32.dll" Ojnhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgchckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdkajic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihcakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebacfi32.dll" Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjlnacb.dll" Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdllci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofhdidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkkbcpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maaqhfpj.dll" Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenmnck.dll" Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lielphqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfemdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdnfckl.dll" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqoqlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgdlnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofohkgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohopjjqj.dll" Folhio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jephgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkolblkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffbcq32.dll" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdalf32.dll" Pnodjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caldepec.dll" Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alicahno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjjogi.dll" Hjhofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpfk32.dll" Jaaoakmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdjfmolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnlkdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgijbede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimedaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhejkik.dll" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgegnce.dll" Oafclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkqbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppohf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdmc32.dll" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emailhfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 1972 560 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe 29 PID 560 wrote to memory of 1972 560 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe 29 PID 560 wrote to memory of 1972 560 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe 29 PID 560 wrote to memory of 1972 560 60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe 29 PID 1972 wrote to memory of 2780 1972 Ekblplgo.exe 30 PID 1972 wrote to memory of 2780 1972 Ekblplgo.exe 30 PID 1972 wrote to memory of 2780 1972 Ekblplgo.exe 30 PID 1972 wrote to memory of 2780 1972 Ekblplgo.exe 30 PID 2780 wrote to memory of 2896 2780 Emailhfb.exe 31 PID 2780 wrote to memory of 2896 2780 Emailhfb.exe 31 PID 2780 wrote to memory of 2896 2780 Emailhfb.exe 31 PID 2780 wrote to memory of 2896 2780 Emailhfb.exe 31 PID 2896 wrote to memory of 2960 2896 Edmnnakm.exe 32 PID 2896 wrote to memory of 2960 2896 Edmnnakm.exe 32 PID 2896 wrote to memory of 2960 2896 Edmnnakm.exe 32 PID 2896 wrote to memory of 2960 2896 Edmnnakm.exe 32 PID 2960 wrote to memory of 1264 2960 Fdpjcaij.exe 33 PID 2960 wrote to memory of 1264 2960 Fdpjcaij.exe 33 PID 2960 wrote to memory of 1264 2960 Fdpjcaij.exe 33 PID 2960 wrote to memory of 1264 2960 Fdpjcaij.exe 33 PID 1264 wrote to memory of 1624 1264 Fgqcel32.exe 34 PID 1264 wrote to memory of 1624 1264 Fgqcel32.exe 34 PID 1264 wrote to memory of 1624 1264 Fgqcel32.exe 34 PID 1264 wrote to memory of 1624 1264 Fgqcel32.exe 34 PID 1624 wrote to memory of 2132 1624 Folhio32.exe 35 PID 1624 wrote to memory of 2132 1624 Folhio32.exe 35 PID 1624 wrote to memory of 2132 1624 Folhio32.exe 35 PID 1624 wrote to memory of 2132 1624 Folhio32.exe 35 PID 2132 wrote to memory of 2380 2132 Fcjqpm32.exe 36 PID 2132 wrote to memory of 2380 2132 Fcjqpm32.exe 36 PID 2132 wrote to memory of 2380 2132 Fcjqpm32.exe 36 PID 2132 wrote to memory of 2380 2132 Fcjqpm32.exe 36 PID 2380 wrote to memory of 2732 2380 Foqadnpq.exe 37 PID 2380 wrote to memory of 2732 2380 Foqadnpq.exe 37 PID 2380 wrote to memory of 2732 2380 Foqadnpq.exe 37 PID 2380 wrote to memory of 2732 2380 Foqadnpq.exe 37 PID 2732 wrote to memory of 1512 2732 Gnenfjdh.exe 38 PID 2732 wrote to memory of 1512 2732 Gnenfjdh.exe 38 PID 2732 wrote to memory of 1512 2732 Gnenfjdh.exe 38 PID 2732 wrote to memory of 1512 2732 Gnenfjdh.exe 38 PID 1512 wrote to memory of 956 1512 Gpfggeai.exe 39 PID 1512 wrote to memory of 956 1512 Gpfggeai.exe 39 PID 1512 wrote to memory of 956 1512 Gpfggeai.exe 39 PID 1512 wrote to memory of 956 1512 Gpfggeai.exe 39 PID 956 wrote to memory of 2552 956 Gafcahil.exe 40 PID 956 wrote to memory of 2552 956 Gafcahil.exe 40 PID 956 wrote to memory of 2552 956 Gafcahil.exe 40 PID 956 wrote to memory of 2552 956 Gafcahil.exe 40 PID 2552 wrote to memory of 1448 2552 Gqkqbe32.exe 41 PID 2552 wrote to memory of 1448 2552 Gqkqbe32.exe 41 PID 2552 wrote to memory of 1448 2552 Gqkqbe32.exe 41 PID 2552 wrote to memory of 1448 2552 Gqkqbe32.exe 41 PID 1448 wrote to memory of 2068 1448 Gnoaliln.exe 42 PID 1448 wrote to memory of 2068 1448 Gnoaliln.exe 42 PID 1448 wrote to memory of 2068 1448 Gnoaliln.exe 42 PID 1448 wrote to memory of 2068 1448 Gnoaliln.exe 42 PID 2068 wrote to memory of 2248 2068 Hfjfpkji.exe 43 PID 2068 wrote to memory of 2248 2068 Hfjfpkji.exe 43 PID 2068 wrote to memory of 2248 2068 Hfjfpkji.exe 43 PID 2068 wrote to memory of 2248 2068 Hfjfpkji.exe 43 PID 2248 wrote to memory of 2076 2248 Hjhofj32.exe 44 PID 2248 wrote to memory of 2076 2248 Hjhofj32.exe 44 PID 2248 wrote to memory of 2076 2248 Hjhofj32.exe 44 PID 2248 wrote to memory of 2076 2248 Hjhofj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe"C:\Users\Admin\AppData\Local\Temp\60dcdb5e4d860a3f281e36c2226a4742212c7b7f7f0471e1fe55fb0ef41f6c4c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gpfggeai.exeC:\Windows\system32\Gpfggeai.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Hklhca32.exeC:\Windows\system32\Hklhca32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jffakm32.exeC:\Windows\system32\Jffakm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Jlegic32.exeC:\Windows\system32\Jlegic32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Jephgi32.exeC:\Windows\system32\Jephgi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe34⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe40⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe43⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe44⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe48⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe52⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe54⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Pnodjb32.exeC:\Windows\system32\Pnodjb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Pdllci32.exeC:\Windows\system32\Pdllci32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe60⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe61⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe62⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe63⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe64⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe66⤵PID:1348
-
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe70⤵PID:868
-
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe71⤵PID:1636
-
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe72⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe73⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe75⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe76⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe77⤵PID:2956
-
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe78⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe79⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe82⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe83⤵PID:2164
-
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe85⤵PID:2436
-
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe86⤵PID:2136
-
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe87⤵PID:2480
-
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe92⤵PID:2992
-
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe93⤵PID:2984
-
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe94⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe95⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe97⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe99⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe100⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe104⤵PID:2652
-
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe105⤵PID:1612
-
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe106⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe107⤵PID:1152
-
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe108⤵PID:1088
-
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe112⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe113⤵PID:2396
-
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe114⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe116⤵PID:2404
-
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe117⤵PID:480
-
C:\Windows\SysWOW64\Emqaaabg.exeC:\Windows\system32\Emqaaabg.exe118⤵PID:2376
-
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe119⤵PID:2444
-
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe121⤵PID:592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-