Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 15:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48e909b9a445b314bbbbe155734fee60N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
48e909b9a445b314bbbbe155734fee60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
48e909b9a445b314bbbbe155734fee60N.exe
-
Size
512KB
-
MD5
48e909b9a445b314bbbbe155734fee60
-
SHA1
2ac8bcc4ebeb0abff016b57868a5d6524070ac7a
-
SHA256
d89591c4909c6bf72675dbc620d6b9164d4b8814312d20cef6f75846172e24d3
-
SHA512
21e2ce28e0ece3b5a115f04445d471f2b9b0b5bd60643a70c94cb2d0bb1490c0e72c97efe5ad5fd57b7a81bf3bdeb2dabbdecba8127d59ebe3cb99ff422cda65
-
SSDEEP
6144:g8wf/qtrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:gzBr/Ng1/Nblt01PBExK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enblpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjing32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammjekmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palgek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgknc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcipaien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmdfglhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbpml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjlaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppogahko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imomkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhchlcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcohih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiieqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koafcppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknlmggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojmogak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kchhholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bciohe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjhippb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogncddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epchbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgojdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeqmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddgaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelbqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biegpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgqlig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglhcihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnedpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlmnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmmhmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbknjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkafofde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkgjgqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imenpfap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqomqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmclem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donlcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikneggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgojdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmffbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqiqam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijahik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoookfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgadba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajjpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmappn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjaejbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnnipnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eljihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomoohoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofono32.exe -
Executes dropped EXE 64 IoCs
pid Process 1988 Kdmehh32.exe 2664 Ljjnpo32.exe 2768 Loicnemp.exe 2444 Lcgldc32.exe 2876 Lkbphfab.exe 2628 Lifqbjpk.exe 1656 Lkdmneoo.exe 2812 Madbll32.exe 2024 Mgnjhfbq.exe 2640 Mnjokphk.exe 2560 Medggj32.exe 2908 Mdidhfdp.exe 1460 Nifmqm32.exe 2408 Nmdfglhm.exe 2492 Neojknfh.exe 460 Nojljcjf.exe 328 Neddfm32.exe 1940 Oakdkn32.exe 2324 Olpiig32.exe 1436 Omaepoml.exe 2412 Oehmamnn.exe 1440 Okefjcle.exe 1240 Opbnbj32.exe 2276 Okhboc32.exe 1600 Oijbkpqm.exe 1852 Ogncddpg.exe 2724 Okjoec32.exe 2780 Olklmk32.exe 2756 Oecpeqdo.exe 2600 Pnkhfnea.exe 2696 Pcgqoech.exe 1740 Ppkahi32.exe 2040 Pcjmdd32.exe 2088 Pehiqp32.exe 2432 Pkebig32.exe 2676 Phibbk32.exe 2936 Pkgonf32.exe 308 Pgnpcg32.exe 2528 Pkjkdfjk.exe 1096 Qdbpml32.exe 1140 Qgqlig32.exe 980 Qjoheb32.exe 2512 Qqiqam32.exe 2208 Qcgmnh32.exe 2084 Qjaejbmq.exe 1632 Qmpafnld.exe 1260 Adgihkmf.exe 2448 Acjjch32.exe 1284 Ageedflj.exe 2856 Anonqq32.exe 2708 Aqnjml32.exe 2272 Aggbif32.exe 2592 Ajfoea32.exe 2256 Amdkam32.exe 2404 Acncngpl.exe 2964 Aikkgnnc.exe 2824 Amgggm32.exe 2236 Abcppcdc.exe 2376 Aebllocg.exe 2112 Ainhln32.exe 912 Aogqihcm.exe 1292 Afaieb32.exe 908 Aipebm32.exe 1432 Bgbemjqh.exe -
Loads dropped DLL 64 IoCs
pid Process 1712 48e909b9a445b314bbbbe155734fee60N.exe 1712 48e909b9a445b314bbbbe155734fee60N.exe 1988 Kdmehh32.exe 1988 Kdmehh32.exe 2664 Ljjnpo32.exe 2664 Ljjnpo32.exe 2768 Loicnemp.exe 2768 Loicnemp.exe 2444 Lcgldc32.exe 2444 Lcgldc32.exe 2876 Lkbphfab.exe 2876 Lkbphfab.exe 2628 Lifqbjpk.exe 2628 Lifqbjpk.exe 1656 Lkdmneoo.exe 1656 Lkdmneoo.exe 2812 Madbll32.exe 2812 Madbll32.exe 2024 Mgnjhfbq.exe 2024 Mgnjhfbq.exe 2640 Mnjokphk.exe 2640 Mnjokphk.exe 2560 Medggj32.exe 2560 Medggj32.exe 2908 Mdidhfdp.exe 2908 Mdidhfdp.exe 1460 Nifmqm32.exe 1460 Nifmqm32.exe 2408 Nmdfglhm.exe 2408 Nmdfglhm.exe 2492 Neojknfh.exe 2492 Neojknfh.exe 460 Nojljcjf.exe 460 Nojljcjf.exe 328 Neddfm32.exe 328 Neddfm32.exe 1940 Oakdkn32.exe 1940 Oakdkn32.exe 2324 Olpiig32.exe 2324 Olpiig32.exe 1436 Omaepoml.exe 1436 Omaepoml.exe 2412 Oehmamnn.exe 2412 Oehmamnn.exe 1440 Okefjcle.exe 1440 Okefjcle.exe 1240 Opbnbj32.exe 1240 Opbnbj32.exe 2276 Okhboc32.exe 2276 Okhboc32.exe 1600 Oijbkpqm.exe 1600 Oijbkpqm.exe 1852 Ogncddpg.exe 1852 Ogncddpg.exe 2724 Okjoec32.exe 2724 Okjoec32.exe 2780 Olklmk32.exe 2780 Olklmk32.exe 2756 Oecpeqdo.exe 2756 Oecpeqdo.exe 2600 Pnkhfnea.exe 2600 Pnkhfnea.exe 2696 Pcgqoech.exe 2696 Pcgqoech.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aggbif32.exe Aqnjml32.exe File created C:\Windows\SysWOW64\Cokaco32.dll Cplfcj32.exe File opened for modification C:\Windows\SysWOW64\Doclijgd.exe Dlepmnhq.exe File opened for modification C:\Windows\SysWOW64\Oakdkn32.exe Neddfm32.exe File opened for modification C:\Windows\SysWOW64\Ljbmdmfc.exe Lkomhp32.exe File created C:\Windows\SysWOW64\Gcbchhmc.exe Ghmokomm.exe File created C:\Windows\SysWOW64\Akbkhd32.exe Alojlgii.exe File created C:\Windows\SysWOW64\Lpnhmi32.dll Fqgnmo32.exe File created C:\Windows\SysWOW64\Limobelk.dll Hpodbo32.exe File opened for modification C:\Windows\SysWOW64\Lbieejff.exe Ljbmdmfc.exe File created C:\Windows\SysWOW64\Pkhmce32.dll Pigkjmap.exe File created C:\Windows\SysWOW64\Bqjcli32.exe Bmogkkkd.exe File created C:\Windows\SysWOW64\Fknlmggc.exe Fgbpmh32.exe File created C:\Windows\SysWOW64\Gjponegj.dll Gmkgqncd.exe File created C:\Windows\SysWOW64\Hcnfllcd.exe Hblidd32.exe File created C:\Windows\SysWOW64\Kloggici.dll Clnmmlkm.exe File opened for modification C:\Windows\SysWOW64\Cmnjgo32.exe Cibnfpjg.exe File created C:\Windows\SysWOW64\Eeobpm32.dll Gbmdpg32.exe File opened for modification C:\Windows\SysWOW64\Hepffelp.exe Hbajjiml.exe File created C:\Windows\SysWOW64\Ncobnogd.dll Dkafofde.exe File opened for modification C:\Windows\SysWOW64\Ihehbpel.exe Ieglfd32.exe File created C:\Windows\SysWOW64\Pamdpnhj.dll Jfoookfn.exe File opened for modification C:\Windows\SysWOW64\Qaifoo32.exe Qkpnbdaf.exe File created C:\Windows\SysWOW64\Madbll32.exe Lkdmneoo.exe File created C:\Windows\SysWOW64\Acoidhii.dll Neddfm32.exe File opened for modification C:\Windows\SysWOW64\Bnmmjd32.exe Bojmogak.exe File created C:\Windows\SysWOW64\Dkmmdg32.exe Dhnahl32.exe File created C:\Windows\SysWOW64\Igdnbm32.dll Bcklmdqn.exe File created C:\Windows\SysWOW64\Gpcghm32.dll Olklmk32.exe File created C:\Windows\SysWOW64\Ldedlfhl.exe Lbghpjih.exe File opened for modification C:\Windows\SysWOW64\Ajidnp32.exe Agkhbece.exe File created C:\Windows\SysWOW64\Bfeonq32.exe Bokfaflj.exe File created C:\Windows\SysWOW64\Bcikpk32.dll Lbieejff.exe File created C:\Windows\SysWOW64\Ohmllf32.exe Oenppk32.exe File created C:\Windows\SysWOW64\Bkdclgpl.exe Biegpl32.exe File created C:\Windows\SysWOW64\Oejbgc32.dll Bkfqbgni.exe File opened for modification C:\Windows\SysWOW64\Beibln32.exe Bbkfpb32.exe File created C:\Windows\SysWOW64\Dmmffbek.exe Dkojjgfg.exe File created C:\Windows\SysWOW64\Fdnabo32.exe Flgiaa32.exe File created C:\Windows\SysWOW64\Neknnm32.dll Fdnabo32.exe File created C:\Windows\SysWOW64\Bgmagh32.exe Bbpioa32.exe File created C:\Windows\SysWOW64\Lggnjkbl.dll Cefkkk32.exe File created C:\Windows\SysWOW64\Djnfdgld.dll Fkgemh32.exe File created C:\Windows\SysWOW64\Ggefdf32.dll Hjeacf32.exe File created C:\Windows\SysWOW64\Kdbgqm32.dll Bjfkde32.exe File opened for modification C:\Windows\SysWOW64\Qagiio32.exe Qpfmageg.exe File created C:\Windows\SysWOW64\Amgaog32.dll Hiahfo32.exe File created C:\Windows\SysWOW64\Hpelofdp.dll Dekgpdqc.exe File created C:\Windows\SysWOW64\Epchbm32.exe Eemded32.exe File created C:\Windows\SysWOW64\Fahhpo32.dll Milcphgf.exe File created C:\Windows\SysWOW64\Bjjmbe32.dll Gqomqm32.exe File created C:\Windows\SysWOW64\Ecggmfde.exe Eddgaj32.exe File opened for modification C:\Windows\SysWOW64\Ifchhf32.exe Hafppp32.exe File created C:\Windows\SysWOW64\Kbebkmci.dll Ifhacfhj.exe File created C:\Windows\SysWOW64\Bfmkddkn.dll Adgihkmf.exe File created C:\Windows\SysWOW64\Ciggap32.exe Cidklp32.exe File opened for modification C:\Windows\SysWOW64\Fdnabo32.exe Flgiaa32.exe File created C:\Windows\SysWOW64\Dekaiofi.dll Hhaogp32.exe File created C:\Windows\SysWOW64\Gkgmhnkb.dll Iaicpepa.exe File created C:\Windows\SysWOW64\Lnoagg32.dll Idabbpgj.exe File opened for modification C:\Windows\SysWOW64\Cgfdmf32.exe Cpolli32.exe File created C:\Windows\SysWOW64\Gongob32.dll Kpecad32.exe File created C:\Windows\SysWOW64\Agikmeeg.exe Adjoqjfc.exe File opened for modification C:\Windows\SysWOW64\Bcklmdqn.exe Bkdclgpl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5180 5136 WerFault.exe 524 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkojjgfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeagpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpecad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biegpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlblq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffnpdip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmblljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnegod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loicnemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbphfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmpafnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faegda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjokphk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojljcjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccadhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaifoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajladp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjkdfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldchff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diackmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnmmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbqol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnajl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjpijjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgpfdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpnlgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmffbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpjmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejjfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdclgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpnbdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcddca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbigfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhbkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpfheoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogkhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlcmhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpolli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobkna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiobh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjaejbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmmhmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocdand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcipaien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcbogk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogqihcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agikmeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammjekmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaaplbg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdjnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfbfken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbpomi32.dll" Hnegod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgqdo32.dll" Acjjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cplfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjjgkfq.dll" Kchhholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccihj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmfpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcflbpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlelc32.dll" Lkhfhaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiglbkg.dll" Oicfpkci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiocdand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoidhii.dll" Neddfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amdkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqpffok.dll" Gnahoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghgbeni.dll" Eepakc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nagakhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llglgkpc.dll" Pkboiamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bciohe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgbkdkdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbbodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miciqgqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfpphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oakdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanieggk.dll" Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibafhmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqnchgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndoabjb.dll" Eoeiniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palffa32.dll" Fejmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdbcbkj.dll" Flfbfken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdfmhfo.dll" Pcgqoech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koafcppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidcdc32.dll" Fphgpnhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdmdhnp.dll" Okhboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beaaplbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkafofde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joomnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjehem32.dll" Jlaqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjhippb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgelbhmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkenmidf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acjjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coofoghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbcdfpo.dll" Ihehbpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcbogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfqlkla.dll" Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdjcjaq.dll" Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abnpjnem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiofh32.dll" Gjeedcjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmllf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmappn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbjmodph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnjokphk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciggap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1988 1712 48e909b9a445b314bbbbe155734fee60N.exe 29 PID 1712 wrote to memory of 1988 1712 48e909b9a445b314bbbbe155734fee60N.exe 29 PID 1712 wrote to memory of 1988 1712 48e909b9a445b314bbbbe155734fee60N.exe 29 PID 1712 wrote to memory of 1988 1712 48e909b9a445b314bbbbe155734fee60N.exe 29 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 1988 wrote to memory of 2664 1988 Kdmehh32.exe 30 PID 2664 wrote to memory of 2768 2664 Ljjnpo32.exe 31 PID 2664 wrote to memory of 2768 2664 Ljjnpo32.exe 31 PID 2664 wrote to memory of 2768 2664 Ljjnpo32.exe 31 PID 2664 wrote to memory of 2768 2664 Ljjnpo32.exe 31 PID 2768 wrote to memory of 2444 2768 Loicnemp.exe 32 PID 2768 wrote to memory of 2444 2768 Loicnemp.exe 32 PID 2768 wrote to memory of 2444 2768 Loicnemp.exe 32 PID 2768 wrote to memory of 2444 2768 Loicnemp.exe 32 PID 2444 wrote to memory of 2876 2444 Lcgldc32.exe 33 PID 2444 wrote to memory of 2876 2444 Lcgldc32.exe 33 PID 2444 wrote to memory of 2876 2444 Lcgldc32.exe 33 PID 2444 wrote to memory of 2876 2444 Lcgldc32.exe 33 PID 2876 wrote to memory of 2628 2876 Lkbphfab.exe 34 PID 2876 wrote to memory of 2628 2876 Lkbphfab.exe 34 PID 2876 wrote to memory of 2628 2876 Lkbphfab.exe 34 PID 2876 wrote to memory of 2628 2876 Lkbphfab.exe 34 PID 2628 wrote to memory of 1656 2628 Lifqbjpk.exe 35 PID 2628 wrote to memory of 1656 2628 Lifqbjpk.exe 35 PID 2628 wrote to memory of 1656 2628 Lifqbjpk.exe 35 PID 2628 wrote to memory of 1656 2628 Lifqbjpk.exe 35 PID 1656 wrote to memory of 2812 1656 Lkdmneoo.exe 36 PID 1656 wrote to memory of 2812 1656 Lkdmneoo.exe 36 PID 1656 wrote to memory of 2812 1656 Lkdmneoo.exe 36 PID 1656 wrote to memory of 2812 1656 Lkdmneoo.exe 36 PID 2812 wrote to memory of 2024 2812 Madbll32.exe 37 PID 2812 wrote to memory of 2024 2812 Madbll32.exe 37 PID 2812 wrote to memory of 2024 2812 Madbll32.exe 37 PID 2812 wrote to memory of 2024 2812 Madbll32.exe 37 PID 2024 wrote to memory of 2640 2024 Mgnjhfbq.exe 38 PID 2024 wrote to memory of 2640 2024 Mgnjhfbq.exe 38 PID 2024 wrote to memory of 2640 2024 Mgnjhfbq.exe 38 PID 2024 wrote to memory of 2640 2024 Mgnjhfbq.exe 38 PID 2640 wrote to memory of 2560 2640 Mnjokphk.exe 39 PID 2640 wrote to memory of 2560 2640 Mnjokphk.exe 39 PID 2640 wrote to memory of 2560 2640 Mnjokphk.exe 39 PID 2640 wrote to memory of 2560 2640 Mnjokphk.exe 39 PID 2560 wrote to memory of 2908 2560 Medggj32.exe 40 PID 2560 wrote to memory of 2908 2560 Medggj32.exe 40 PID 2560 wrote to memory of 2908 2560 Medggj32.exe 40 PID 2560 wrote to memory of 2908 2560 Medggj32.exe 40 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 2908 wrote to memory of 1460 2908 Mdidhfdp.exe 41 PID 1460 wrote to memory of 2408 1460 Nifmqm32.exe 42 PID 1460 wrote to memory of 2408 1460 Nifmqm32.exe 42 PID 1460 wrote to memory of 2408 1460 Nifmqm32.exe 42 PID 1460 wrote to memory of 2408 1460 Nifmqm32.exe 42 PID 2408 wrote to memory of 2492 2408 Nmdfglhm.exe 43 PID 2408 wrote to memory of 2492 2408 Nmdfglhm.exe 43 PID 2408 wrote to memory of 2492 2408 Nmdfglhm.exe 43 PID 2408 wrote to memory of 2492 2408 Nmdfglhm.exe 43 PID 2492 wrote to memory of 460 2492 Neojknfh.exe 44 PID 2492 wrote to memory of 460 2492 Neojknfh.exe 44 PID 2492 wrote to memory of 460 2492 Neojknfh.exe 44 PID 2492 wrote to memory of 460 2492 Neojknfh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\48e909b9a445b314bbbbe155734fee60N.exe"C:\Users\Admin\AppData\Local\Temp\48e909b9a445b314bbbbe155734fee60N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ljjnpo32.exeC:\Windows\system32\Ljjnpo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Loicnemp.exeC:\Windows\system32\Loicnemp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lcgldc32.exeC:\Windows\system32\Lcgldc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Lifqbjpk.exeC:\Windows\system32\Lifqbjpk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lkdmneoo.exeC:\Windows\system32\Lkdmneoo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Madbll32.exeC:\Windows\system32\Madbll32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mgnjhfbq.exeC:\Windows\system32\Mgnjhfbq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Mnjokphk.exeC:\Windows\system32\Mnjokphk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Nifmqm32.exeC:\Windows\system32\Nifmqm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Neojknfh.exeC:\Windows\system32\Neojknfh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:460 -
C:\Windows\SysWOW64\Neddfm32.exeC:\Windows\system32\Neddfm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Opbnbj32.exeC:\Windows\system32\Opbnbj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ogncddpg.exeC:\Windows\system32\Ogncddpg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe33⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Pkgonf32.exeC:\Windows\system32\Pkgonf32.exe38⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe39⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe43⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe45⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe50⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe51⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe53⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe56⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe57⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe58⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe59⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe60⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe61⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe64⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe65⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Bnmmjd32.exeC:\Windows\system32\Bnmmjd32.exe67⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe68⤵PID:2452
-
C:\Windows\SysWOW64\Bkqnchgo.exeC:\Windows\system32\Bkqnchgo.exe69⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe70⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe71⤵PID:2584
-
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe73⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe74⤵PID:1912
-
C:\Windows\SysWOW64\Bcnomjbg.exeC:\Windows\system32\Bcnomjbg.exe75⤵PID:2968
-
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe76⤵PID:2816
-
C:\Windows\SysWOW64\Babpgo32.exeC:\Windows\system32\Babpgo32.exe77⤵PID:1872
-
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe78⤵PID:1980
-
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Bimdka32.exeC:\Windows\system32\Bimdka32.exe80⤵PID:2348
-
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe82⤵PID:3044
-
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe83⤵PID:584
-
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe85⤵PID:2732
-
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe86⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe87⤵PID:2312
-
C:\Windows\SysWOW64\Cplfcj32.exeC:\Windows\system32\Cplfcj32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe89⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Cffnpdip.exeC:\Windows\system32\Cffnpdip.exe90⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe91⤵PID:1192
-
C:\Windows\SysWOW64\Cidklp32.exeC:\Windows\system32\Cidklp32.exe92⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe93⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe94⤵PID:264
-
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe95⤵PID:2012
-
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe96⤵PID:868
-
C:\Windows\SysWOW64\Cenhfqle.exeC:\Windows\system32\Cenhfqle.exe97⤵PID:1728
-
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe98⤵PID:2124
-
C:\Windows\SysWOW64\Dmimkc32.exeC:\Windows\system32\Dmimkc32.exe99⤵PID:2580
-
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe100⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Dhnahl32.exeC:\Windows\system32\Dhnahl32.exe101⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe103⤵PID:2212
-
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe104⤵PID:2896
-
C:\Windows\SysWOW64\Dkojjgfg.exeC:\Windows\system32\Dkojjgfg.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Dmmffbek.exeC:\Windows\system32\Dmmffbek.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe107⤵PID:2076
-
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe109⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe110⤵PID:1556
-
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe111⤵PID:2684
-
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe112⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe113⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe114⤵PID:2504
-
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe116⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Epchbm32.exeC:\Windows\system32\Epchbm32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe118⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Eepakc32.exeC:\Windows\system32\Eepakc32.exe119⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe120⤵PID:2536
-
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-