Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 22:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
813f4cc4b29a77d3ebf5ac15cb7f8600N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
813f4cc4b29a77d3ebf5ac15cb7f8600N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
813f4cc4b29a77d3ebf5ac15cb7f8600N.exe
-
Size
224KB
-
MD5
813f4cc4b29a77d3ebf5ac15cb7f8600
-
SHA1
7a45a57608aab2e7d878926ba7a49ee24ea29435
-
SHA256
51b3cce75a0b0523e95aa57ee2a8ff4e692bf27a5299c458f2e2a12cbc3928d0
-
SHA512
86a257e0bc4885f64f2ae5387f934b86fe037ca3dd23cedd06cd3d157a8422e26c86c72a4ef9ab9fc888bfb58934d43df32a7c4ad2546186bd0ad4c042dd66c2
-
SSDEEP
6144:LyCTW4l/Yfx94rQD85k/hQO+zrWnAdqjeOpKff:G4OMrQg5W/+zrWAI5KH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddoiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdiigbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnmfmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcmedmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbaflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkgkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odpeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cplkehnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfdigocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcqkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbnjpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekcmkamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqjdon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljnebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjqlbdog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpekjie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknaahhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okecak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffahgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idagdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpenkgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkakad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjnpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piipibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdejpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpkjjofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmbmkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbdif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibmglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlleni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aendjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enomam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noojfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eelinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biiljjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfgkleh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giogonlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abkncmhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giljinne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbpfhpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiolio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncllifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edghighp.exe -
Executes dropped EXE 64 IoCs
pid Process 788 Jollgl32.exe 2156 Jffddfjk.exe 2808 Jigmeagl.exe 2832 Jboanfmm.exe 2752 Jadnoc32.exe 2632 Jjmchhhe.exe 1124 Kjopnh32.exe 2460 Kcgdgnmc.exe 2132 Kjdiigbm.exe 2648 Kbonmjph.exe 2924 Lhnckp32.exe 2388 Lafgdfbm.exe 1216 Lkahbkgk.exe 1512 Legmpdga.exe 2292 Lkfbmj32.exe 1480 Mdnffpif.exe 1996 Mpgdaqmh.exe 900 Medligko.exe 576 Momqbm32.exe 2168 Mheekb32.exe 2288 Mhgbpb32.exe 2408 Nkfnln32.exe 1584 Nocgbl32.exe 2820 Nabcog32.exe 2828 Ngolgn32.exe 1748 Ndclpb32.exe 2620 Nqjmec32.exe 2856 Nlpmjdce.exe 620 Noojfpbi.exe 2352 Ofibcj32.exe 3048 Ombjpd32.exe 1088 Ooaflp32.exe 2900 Ofkoijhc.exe 1076 Ohikeegf.exe 1620 Ocoobngl.exe 2572 Ofmknifp.exe 2244 Oilgje32.exe 2996 Oofpgolq.exe 1616 Ofphdi32.exe 2672 Oindpd32.exe 916 Oohmmojn.exe 772 Obfiijia.exe 2268 Ogcaaahi.exe 1472 Pjbnmm32.exe 2192 Pegaje32.exe 2680 Pgfnfq32.exe 2720 Pnpfckmc.exe 2956 Panboflg.exe 2016 Pfkkhmjn.exe 3060 Pnbcij32.exe 1128 Ppcoqbao.exe 2000 Pfmgmm32.exe 2144 Pildih32.exe 2040 Paclje32.exe 2904 Ppelfbol.exe 2488 Pfpdcm32.exe 1208 Pllmkcdp.exe 2988 Pccelqeb.exe 1880 Qeeadi32.exe 2220 Qmlief32.exe 1528 Qnmfmoaa.exe 960 Qfdnnlbc.exe 2364 Qlaffbqk.exe 1568 Abkncmhh.exe -
Loads dropped DLL 64 IoCs
pid Process 2524 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe 2524 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe 788 Jollgl32.exe 788 Jollgl32.exe 2156 Jffddfjk.exe 2156 Jffddfjk.exe 2808 Jigmeagl.exe 2808 Jigmeagl.exe 2832 Jboanfmm.exe 2832 Jboanfmm.exe 2752 Jadnoc32.exe 2752 Jadnoc32.exe 2632 Jjmchhhe.exe 2632 Jjmchhhe.exe 1124 Kjopnh32.exe 1124 Kjopnh32.exe 2460 Kcgdgnmc.exe 2460 Kcgdgnmc.exe 2132 Kjdiigbm.exe 2132 Kjdiigbm.exe 2648 Kbonmjph.exe 2648 Kbonmjph.exe 2924 Lhnckp32.exe 2924 Lhnckp32.exe 2388 Lafgdfbm.exe 2388 Lafgdfbm.exe 1216 Lkahbkgk.exe 1216 Lkahbkgk.exe 1512 Legmpdga.exe 1512 Legmpdga.exe 2292 Lkfbmj32.exe 2292 Lkfbmj32.exe 1480 Mdnffpif.exe 1480 Mdnffpif.exe 1996 Mpgdaqmh.exe 1996 Mpgdaqmh.exe 900 Medligko.exe 900 Medligko.exe 576 Momqbm32.exe 576 Momqbm32.exe 2168 Mheekb32.exe 2168 Mheekb32.exe 2288 Mhgbpb32.exe 2288 Mhgbpb32.exe 2408 Nkfnln32.exe 2408 Nkfnln32.exe 1584 Nocgbl32.exe 1584 Nocgbl32.exe 2820 Nabcog32.exe 2820 Nabcog32.exe 2828 Ngolgn32.exe 2828 Ngolgn32.exe 1748 Ndclpb32.exe 1748 Ndclpb32.exe 2620 Nqjmec32.exe 2620 Nqjmec32.exe 2856 Nlpmjdce.exe 2856 Nlpmjdce.exe 620 Noojfpbi.exe 620 Noojfpbi.exe 2352 Ofibcj32.exe 2352 Ofibcj32.exe 3048 Ombjpd32.exe 3048 Ombjpd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iodolf32.exe Idojon32.exe File created C:\Windows\SysWOW64\Lbeiij32.dll Jdhmel32.exe File created C:\Windows\SysWOW64\Nlkmeo32.exe Naeigf32.exe File created C:\Windows\SysWOW64\Gghcjdmg.dll Efoobkej.exe File opened for modification C:\Windows\SysWOW64\Iiiogoac.exe Igjckcbo.exe File created C:\Windows\SysWOW64\Ecfcle32.exe Epkgkfmd.exe File created C:\Windows\SysWOW64\Ogcaaahi.exe Obfiijia.exe File created C:\Windows\SysWOW64\Djiegp32.exe Dhhhphmc.exe File opened for modification C:\Windows\SysWOW64\Hgnjlfam.exe Hpcbol32.exe File created C:\Windows\SysWOW64\Ikfbai32.dll Afojgiei.exe File opened for modification C:\Windows\SysWOW64\Obfiijia.exe Oohmmojn.exe File opened for modification C:\Windows\SysWOW64\Flmglfhk.exe Fagcnmie.exe File opened for modification C:\Windows\SysWOW64\Ianambhc.exe Iopeagip.exe File created C:\Windows\SysWOW64\Jpojog32.dll Jjefmc32.exe File created C:\Windows\SysWOW64\Oeakle32.dll Hiichkog.exe File opened for modification C:\Windows\SysWOW64\Flkjffkm.exe Filnjk32.exe File created C:\Windows\SysWOW64\Bdpjjaiq.exe Baannfim.exe File opened for modification C:\Windows\SysWOW64\Legmpdga.exe Lkahbkgk.exe File created C:\Windows\SysWOW64\Qlaffbqk.exe Qfdnnlbc.exe File created C:\Windows\SysWOW64\Aelgdhei.exe Abmkhmfe.exe File opened for modification C:\Windows\SysWOW64\Cgfcabeh.exe Cplkehnk.exe File created C:\Windows\SysWOW64\Hnjonpgg.exe Hincna32.exe File created C:\Windows\SysWOW64\Bkheal32.exe Bhiiepcl.exe File created C:\Windows\SysWOW64\Gjhfkqdm.exe Glefpd32.exe File created C:\Windows\SysWOW64\Ljaplc32.dll Lkfbmj32.exe File opened for modification C:\Windows\SysWOW64\Gbglgcbc.exe Giogonlb.exe File opened for modification C:\Windows\SysWOW64\Efakhk32.exe Eogckqkk.exe File opened for modification C:\Windows\SysWOW64\Glefpd32.exe Gekncjfe.exe File created C:\Windows\SysWOW64\Lafgdfbm.exe Lhnckp32.exe File created C:\Windows\SysWOW64\Oilgje32.exe Ofmknifp.exe File opened for modification C:\Windows\SysWOW64\Paclje32.exe Pildih32.exe File opened for modification C:\Windows\SysWOW64\Hnjonpgg.exe Hincna32.exe File opened for modification C:\Windows\SysWOW64\Ilolol32.exe Heedbbdb.exe File opened for modification C:\Windows\SysWOW64\Pqdend32.exe Pobhfl32.exe File created C:\Windows\SysWOW64\Fnoiqpqk.exe Fmnmih32.exe File opened for modification C:\Windows\SysWOW64\Gdedoegh.exe Gmklbk32.exe File opened for modification C:\Windows\SysWOW64\Mheekb32.exe Momqbm32.exe File opened for modification C:\Windows\SysWOW64\Naeigf32.exe Ncbilimn.exe File opened for modification C:\Windows\SysWOW64\Ffokan32.exe Fpecddpi.exe File created C:\Windows\SysWOW64\Ncbfdlcj.dll Knckbe32.exe File created C:\Windows\SysWOW64\Ejobqp32.dll Dfgpnm32.exe File created C:\Windows\SysWOW64\Oahllk32.dll Pncllifp.exe File opened for modification C:\Windows\SysWOW64\Apphpp32.exe Amalcd32.exe File created C:\Windows\SysWOW64\Gniidaih.dll Boohgk32.exe File created C:\Windows\SysWOW64\Mkbjgp32.dll Bhiiepcl.exe File created C:\Windows\SysWOW64\Mqkgeb32.dll Chdlidjm.exe File created C:\Windows\SysWOW64\Kbonmjph.exe Kjdiigbm.exe File created C:\Windows\SysWOW64\Bbpdmp32.exe Bpahad32.exe File created C:\Windows\SysWOW64\Enijcn32.exe Ejnnbpol.exe File opened for modification C:\Windows\SysWOW64\Emogdk32.exe Ejpkho32.exe File created C:\Windows\SysWOW64\Galhhp32.exe Gonlld32.exe File created C:\Windows\SysWOW64\Jjfkao32.dll Mhmhpm32.exe File created C:\Windows\SysWOW64\Cmcfpikj.dll Oohmmojn.exe File created C:\Windows\SysWOW64\Nnogai32.dll Mdibpn32.exe File opened for modification C:\Windows\SysWOW64\Fpnekc32.exe Flcjjdpe.exe File created C:\Windows\SysWOW64\Iedmhlqf.exe Hojeka32.exe File created C:\Windows\SysWOW64\Iodolf32.exe Idojon32.exe File created C:\Windows\SysWOW64\Nbabfmjp.dll Ecdffe32.exe File created C:\Windows\SysWOW64\Bfqliakm.dll Bfjmkn32.exe File created C:\Windows\SysWOW64\Dihbqgdl.dll Pfpdcm32.exe File opened for modification C:\Windows\SysWOW64\Pnpfckmc.exe Pgfnfq32.exe File created C:\Windows\SysWOW64\Ldmchdcp.dll Eqejjj32.exe File created C:\Windows\SysWOW64\Bflhik32.dll Hmcimq32.exe File created C:\Windows\SysWOW64\Lifoia32.exe Lopjlh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5852 5812 WerFault.exe 531 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paclje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnngeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piipibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdhfdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echpaecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbakmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogckqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfecim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polbemck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clheeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcckjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngolgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijdcdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbonh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcmkamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igomfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnohmog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdonndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofhqiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofphdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffiebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heedbbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfeldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajelmiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpcoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclmlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkncmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acldpojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdlidjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihkoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmcfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianambhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikafpbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjcqpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chghodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaaghom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apphpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjpfmic.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Befcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdhfdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnnpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpdfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgfppka.dll" Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodkcbje.dll" Ohfgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olhmnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclfmph.dll" Abcngkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppcoqbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blabef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hincna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpgjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdegpplg.dll" Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnmdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedgbn32.dll" Enmplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijklmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagdj32.dll" Jlnadiko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolpolge.dll" Kbgqbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coejfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bepmokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfklfa32.dll" Ijeinphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbfdlcj.dll" Knckbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbajq32.dll" Lmondpbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkfbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljaplc32.dll" Lkfbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcfpikj.dll" Oohmmojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjbnmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfmcapna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipbgci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkmegaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fenedlec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nefncd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kehidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioebelhe.dll" Dclikp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjeblf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheeallp.dll" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaengmn.dll" Lafgdfbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Medligko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpcaeghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmfoon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhplfp32.dll" Glhjpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifgeike.dll" Caajmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbaflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indiip32.dll" Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objdcnnk.dll" Laccdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqliakm.dll" Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmkhmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llomka32.dll" Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alnoepam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhgonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohikeegf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 788 2524 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe 29 PID 2524 wrote to memory of 788 2524 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe 29 PID 2524 wrote to memory of 788 2524 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe 29 PID 2524 wrote to memory of 788 2524 813f4cc4b29a77d3ebf5ac15cb7f8600N.exe 29 PID 788 wrote to memory of 2156 788 Jollgl32.exe 30 PID 788 wrote to memory of 2156 788 Jollgl32.exe 30 PID 788 wrote to memory of 2156 788 Jollgl32.exe 30 PID 788 wrote to memory of 2156 788 Jollgl32.exe 30 PID 2156 wrote to memory of 2808 2156 Jffddfjk.exe 31 PID 2156 wrote to memory of 2808 2156 Jffddfjk.exe 31 PID 2156 wrote to memory of 2808 2156 Jffddfjk.exe 31 PID 2156 wrote to memory of 2808 2156 Jffddfjk.exe 31 PID 2808 wrote to memory of 2832 2808 Jigmeagl.exe 32 PID 2808 wrote to memory of 2832 2808 Jigmeagl.exe 32 PID 2808 wrote to memory of 2832 2808 Jigmeagl.exe 32 PID 2808 wrote to memory of 2832 2808 Jigmeagl.exe 32 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2752 wrote to memory of 2632 2752 Jadnoc32.exe 34 PID 2752 wrote to memory of 2632 2752 Jadnoc32.exe 34 PID 2752 wrote to memory of 2632 2752 Jadnoc32.exe 34 PID 2752 wrote to memory of 2632 2752 Jadnoc32.exe 34 PID 2632 wrote to memory of 1124 2632 Jjmchhhe.exe 35 PID 2632 wrote to memory of 1124 2632 Jjmchhhe.exe 35 PID 2632 wrote to memory of 1124 2632 Jjmchhhe.exe 35 PID 2632 wrote to memory of 1124 2632 Jjmchhhe.exe 35 PID 1124 wrote to memory of 2460 1124 Kjopnh32.exe 36 PID 1124 wrote to memory of 2460 1124 Kjopnh32.exe 36 PID 1124 wrote to memory of 2460 1124 Kjopnh32.exe 36 PID 1124 wrote to memory of 2460 1124 Kjopnh32.exe 36 PID 2460 wrote to memory of 2132 2460 Kcgdgnmc.exe 37 PID 2460 wrote to memory of 2132 2460 Kcgdgnmc.exe 37 PID 2460 wrote to memory of 2132 2460 Kcgdgnmc.exe 37 PID 2460 wrote to memory of 2132 2460 Kcgdgnmc.exe 37 PID 2132 wrote to memory of 2648 2132 Kjdiigbm.exe 38 PID 2132 wrote to memory of 2648 2132 Kjdiigbm.exe 38 PID 2132 wrote to memory of 2648 2132 Kjdiigbm.exe 38 PID 2132 wrote to memory of 2648 2132 Kjdiigbm.exe 38 PID 2648 wrote to memory of 2924 2648 Kbonmjph.exe 39 PID 2648 wrote to memory of 2924 2648 Kbonmjph.exe 39 PID 2648 wrote to memory of 2924 2648 Kbonmjph.exe 39 PID 2648 wrote to memory of 2924 2648 Kbonmjph.exe 39 PID 2924 wrote to memory of 2388 2924 Lhnckp32.exe 40 PID 2924 wrote to memory of 2388 2924 Lhnckp32.exe 40 PID 2924 wrote to memory of 2388 2924 Lhnckp32.exe 40 PID 2924 wrote to memory of 2388 2924 Lhnckp32.exe 40 PID 2388 wrote to memory of 1216 2388 Lafgdfbm.exe 41 PID 2388 wrote to memory of 1216 2388 Lafgdfbm.exe 41 PID 2388 wrote to memory of 1216 2388 Lafgdfbm.exe 41 PID 2388 wrote to memory of 1216 2388 Lafgdfbm.exe 41 PID 1216 wrote to memory of 1512 1216 Lkahbkgk.exe 42 PID 1216 wrote to memory of 1512 1216 Lkahbkgk.exe 42 PID 1216 wrote to memory of 1512 1216 Lkahbkgk.exe 42 PID 1216 wrote to memory of 1512 1216 Lkahbkgk.exe 42 PID 1512 wrote to memory of 2292 1512 Legmpdga.exe 43 PID 1512 wrote to memory of 2292 1512 Legmpdga.exe 43 PID 1512 wrote to memory of 2292 1512 Legmpdga.exe 43 PID 1512 wrote to memory of 2292 1512 Legmpdga.exe 43 PID 2292 wrote to memory of 1480 2292 Lkfbmj32.exe 44 PID 2292 wrote to memory of 1480 2292 Lkfbmj32.exe 44 PID 2292 wrote to memory of 1480 2292 Lkfbmj32.exe 44 PID 2292 wrote to memory of 1480 2292 Lkfbmj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\813f4cc4b29a77d3ebf5ac15cb7f8600N.exe"C:\Users\Admin\AppData\Local\Temp\813f4cc4b29a77d3ebf5ac15cb7f8600N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jollgl32.exeC:\Windows\system32\Jollgl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Jffddfjk.exeC:\Windows\system32\Jffddfjk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Kcgdgnmc.exeC:\Windows\system32\Kcgdgnmc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Nocgbl32.exeC:\Windows\system32\Nocgbl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Ngolgn32.exeC:\Windows\system32\Ngolgn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Ofkoijhc.exeC:\Windows\system32\Ofkoijhc.exe34⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ohikeegf.exeC:\Windows\system32\Ohikeegf.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe36⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe38⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe39⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe41⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe44⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe48⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe49⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe50⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe53⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pildih32.exeC:\Windows\system32\Pildih32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe56⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe58⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe59⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe60⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Qfdnnlbc.exeC:\Windows\system32\Qfdnnlbc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe64⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Abkncmhh.exeC:\Windows\system32\Abkncmhh.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe66⤵PID:844
-
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe67⤵PID:2224
-
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe69⤵PID:2744
-
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe70⤵PID:2700
-
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe74⤵PID:2888
-
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe75⤵PID:3032
-
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe76⤵PID:2136
-
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe77⤵PID:1684
-
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe78⤵PID:2568
-
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe79⤵PID:1692
-
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe80⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe82⤵PID:2004
-
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe83⤵PID:2884
-
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe84⤵PID:3008
-
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe85⤵PID:860
-
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe86⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe87⤵PID:2596
-
C:\Windows\SysWOW64\Biiljjnk.exeC:\Windows\system32\Biiljjnk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe89⤵PID:2896
-
C:\Windows\SysWOW64\Bcbabodk.exeC:\Windows\system32\Bcbabodk.exe90⤵PID:1040
-
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe91⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe92⤵
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe93⤵PID:1460
-
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Cgdflb32.exeC:\Windows\system32\Cgdflb32.exe95⤵PID:1540
-
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe96⤵
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe98⤵PID:1104
-
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe99⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe100⤵PID:2816
-
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Cjglcmbi.exeC:\Windows\system32\Cjglcmbi.exe102⤵PID:2592
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe103⤵PID:2608
-
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe104⤵PID:2684
-
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe105⤵PID:2912
-
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe107⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe108⤵PID:2216
-
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe109⤵PID:2380
-
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:600 -
C:\Windows\SysWOW64\Dcdjgbed.exeC:\Windows\system32\Dcdjgbed.exe111⤵PID:3024
-
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe112⤵PID:2188
-
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe113⤵PID:2772
-
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe114⤵PID:2052
-
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1372 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe117⤵PID:2360
-
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe118⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Dghlfe32.exeC:\Windows\system32\Dghlfe32.exe119⤵PID:1416
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Dbnpcn32.exeC:\Windows\system32\Dbnpcn32.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-