Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 05:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2b8367f913adb5601245d9185407ada0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
2b8367f913adb5601245d9185407ada0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
2b8367f913adb5601245d9185407ada0N.exe
-
Size
448KB
-
MD5
2b8367f913adb5601245d9185407ada0
-
SHA1
7ee93cb873e0ef1f900ec6798bdcc974b1a92390
-
SHA256
29395c988111ee7e53acd6b9a0855ee982f758956bc6359141447be419af78cf
-
SHA512
812d1c77b6fc753407a1a39b7f442b8a11827f31ba56540c8ea38395e9a2b8bd53290197defd6415d4785cfed4961603de8ecdc7f2a87df81cc1c256999ba526
-
SSDEEP
6144:XcbH+SmR5PQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:Mb9mm/NcZ7/NC64tm6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaipghcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpamoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibibfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmoilni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfebhmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcdpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjhicpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdkbjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miclhpjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikcbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfkeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnjfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beogaenl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqaode32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpban32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjpgdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepbmhpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjngbihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apilcoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheaiekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnokahip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecadddjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccqhdmbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpban32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onldqejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoeki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlphh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Booiep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcofica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnehado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebbcdkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjnplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknmok32.exe -
Executes dropped EXE 64 IoCs
pid Process 2828 Kdbepm32.exe 2688 Kbhbai32.exe 2816 Lplbjm32.exe 1488 Lmpcca32.exe 2460 Lghgmg32.exe 1348 Lcohahpn.exe 1912 Lofifi32.exe 1020 Lhnmoo32.exe 2812 Lafahdcc.exe 2080 Mainndaq.exe 596 Mjdcbf32.exe 2380 Mjfphf32.exe 2392 Mgjpaj32.exe 1048 Moeeelhn.exe 1916 Mlieoqgg.exe 2456 Njmfhe32.exe 3048 Nbhkmg32.exe 2908 Nhbciaki.exe 1940 Nnokahip.exe 2128 Nghpjn32.exe 2368 Noohlkpc.exe 2084 Nbmdhfog.exe 1768 Ngjlpmnn.exe 468 Nbpqmfmd.exe 2160 Ndnmialh.exe 2360 Ogliemkk.exe 2720 Oqennbbl.exe 2596 Occjjnap.exe 2208 Oninhgae.exe 2684 Oqgjdbpi.exe 2496 Omnkicen.exe 2148 Oaigib32.exe 1452 Ojblbgdg.exe 2796 Ocjpkm32.exe 2648 Ofilgh32.exe 2096 Oighcd32.exe 536 Pbomli32.exe 2188 Piieicgl.exe 2316 Plhaeofp.exe 2204 Pnfnajed.exe 1976 Pilbocej.exe 1064 Pebbcdkn.exe 2248 Phaoppja.exe 2220 Pjoklkie.exe 1924 Peeoidik.exe 920 Pfflql32.exe 2644 Pnmdbi32.exe 1752 Palpneop.exe 1796 Pdjljpnc.exe 2884 Pfhhflmg.exe 2568 Qigebglj.exe 2492 Qpamoa32.exe 2572 Qboikm32.exe 1724 Qiiahgjh.exe 2344 Qlgndbil.exe 2216 Qdofep32.exe 2980 Aepbmhpl.exe 2252 Aljjjb32.exe 1336 Apefjqob.exe 272 Afpogk32.exe 580 Ahqkocmm.exe 1304 Aokckm32.exe 608 Aaipghcn.exe 1108 Aipgifcp.exe -
Loads dropped DLL 64 IoCs
pid Process 1708 2b8367f913adb5601245d9185407ada0N.exe 1708 2b8367f913adb5601245d9185407ada0N.exe 2828 Kdbepm32.exe 2828 Kdbepm32.exe 2688 Kbhbai32.exe 2688 Kbhbai32.exe 2816 Lplbjm32.exe 2816 Lplbjm32.exe 1488 Lmpcca32.exe 1488 Lmpcca32.exe 2460 Lghgmg32.exe 2460 Lghgmg32.exe 1348 Lcohahpn.exe 1348 Lcohahpn.exe 1912 Lofifi32.exe 1912 Lofifi32.exe 1020 Lhnmoo32.exe 1020 Lhnmoo32.exe 2812 Lafahdcc.exe 2812 Lafahdcc.exe 2080 Mainndaq.exe 2080 Mainndaq.exe 596 Mjdcbf32.exe 596 Mjdcbf32.exe 2380 Mjfphf32.exe 2380 Mjfphf32.exe 2392 Mgjpaj32.exe 2392 Mgjpaj32.exe 1048 Moeeelhn.exe 1048 Moeeelhn.exe 1916 Mlieoqgg.exe 1916 Mlieoqgg.exe 2456 Njmfhe32.exe 2456 Njmfhe32.exe 3048 Nbhkmg32.exe 3048 Nbhkmg32.exe 2908 Nhbciaki.exe 2908 Nhbciaki.exe 1940 Nnokahip.exe 1940 Nnokahip.exe 2128 Nghpjn32.exe 2128 Nghpjn32.exe 2368 Noohlkpc.exe 2368 Noohlkpc.exe 2084 Nbmdhfog.exe 2084 Nbmdhfog.exe 1768 Ngjlpmnn.exe 1768 Ngjlpmnn.exe 468 Nbpqmfmd.exe 468 Nbpqmfmd.exe 2160 Ndnmialh.exe 2160 Ndnmialh.exe 2360 Ogliemkk.exe 2360 Ogliemkk.exe 2720 Oqennbbl.exe 2720 Oqennbbl.exe 2596 Occjjnap.exe 2596 Occjjnap.exe 2208 Oninhgae.exe 2208 Oninhgae.exe 2684 Oqgjdbpi.exe 2684 Oqgjdbpi.exe 2496 Omnkicen.exe 2496 Omnkicen.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Haemloni.exe Hofqpc32.exe File created C:\Windows\SysWOW64\Lcjmleem.dll Hfebhmbm.exe File opened for modification C:\Windows\SysWOW64\Doqkpl32.exe Dlboca32.exe File created C:\Windows\SysWOW64\Ecgjdong.exe Dmmbge32.exe File created C:\Windows\SysWOW64\Bdaojbjf.exe Babbng32.exe File opened for modification C:\Windows\SysWOW64\Eiciig32.exe Ebialmjb.exe File created C:\Windows\SysWOW64\Nnfipe32.dll Fbpclofe.exe File opened for modification C:\Windows\SysWOW64\Dbdagg32.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Hnngcook.dll Ckhfpp32.exe File created C:\Windows\SysWOW64\Cpcpnokb.dll Iqcmcj32.exe File opened for modification C:\Windows\SysWOW64\Nfglfdeb.exe Ndfpnl32.exe File created C:\Windows\SysWOW64\Lgnjke32.exe Lpdankjg.exe File created C:\Windows\SysWOW64\Miocmq32.exe Lgpfpe32.exe File created C:\Windows\SysWOW64\Cpoodc32.dll Mhdpnm32.exe File opened for modification C:\Windows\SysWOW64\Nflfad32.exe Nobndj32.exe File created C:\Windows\SysWOW64\Cdokfc32.dll Onldqejb.exe File created C:\Windows\SysWOW64\Oopqjabc.dll Lcohahpn.exe File created C:\Windows\SysWOW64\Dabahf32.dll Mjdcbf32.exe File created C:\Windows\SysWOW64\Ghodpb32.dll Clciod32.exe File created C:\Windows\SysWOW64\Qgnonqai.dll Dbbklnpj.exe File created C:\Windows\SysWOW64\Egfjdchi.exe Eiciig32.exe File created C:\Windows\SysWOW64\Knijnb32.dll Hhmhcigh.exe File opened for modification C:\Windows\SysWOW64\Iciopdca.exe Imogcj32.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Adjhicpo.exe Aaklmhak.exe File created C:\Windows\SysWOW64\Jbcqjf32.dll Dcmnja32.exe File opened for modification C:\Windows\SysWOW64\Boeoek32.exe Bpboinpd.exe File created C:\Windows\SysWOW64\Bnfoepmg.dll Ebockkal.exe File created C:\Windows\SysWOW64\Nnmihice.dll Noohlkpc.exe File created C:\Windows\SysWOW64\Phaoppja.exe Pebbcdkn.exe File created C:\Windows\SysWOW64\Ajnnkldn.dll Haemloni.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe Ecjgio32.exe File created C:\Windows\SysWOW64\Gagolf32.dll Plhaeofp.exe File created C:\Windows\SysWOW64\Mfpqebhl.dll Bchhqo32.exe File created C:\Windows\SysWOW64\Bgfdgq32.dll Ijqjgo32.exe File opened for modification C:\Windows\SysWOW64\Fmnahilc.exe Fegjgkla.exe File created C:\Windows\SysWOW64\Fnejdq32.dll Ifgklp32.exe File created C:\Windows\SysWOW64\Egpena32.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Bfiabjjm.exe Booiep32.exe File created C:\Windows\SysWOW64\Chlgid32.exe Cdqkifmb.exe File created C:\Windows\SysWOW64\Fbngfo32.exe Fpokjd32.exe File created C:\Windows\SysWOW64\Igkhjdde.exe Idmlniea.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pgibdjln.exe File created C:\Windows\SysWOW64\Dhklna32.exe Dbadagln.exe File created C:\Windows\SysWOW64\Dkjhjm32.exe Dhklna32.exe File opened for modification C:\Windows\SysWOW64\Efjpkj32.exe Ebockkal.exe File opened for modification C:\Windows\SysWOW64\Qpamoa32.exe Qigebglj.exe File created C:\Windows\SysWOW64\Lfgjgn32.dll Cbdkbjkl.exe File created C:\Windows\SysWOW64\Gdhfdffl.exe Gkpakq32.exe File created C:\Windows\SysWOW64\Bknmok32.exe Bimphc32.exe File created C:\Windows\SysWOW64\Bdajpkkj.dll Bimphc32.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Enmnahnm.exe File created C:\Windows\SysWOW64\Fedfgejh.exe Fbfjkj32.exe File opened for modification C:\Windows\SysWOW64\Qlgndbil.exe Qiiahgjh.exe File created C:\Windows\SysWOW64\Jmdaehpn.dll Afgnkilf.exe File created C:\Windows\SysWOW64\Fnicaj32.dll Bikcbc32.exe File created C:\Windows\SysWOW64\Heiojloh.dll Gagmbkik.exe File opened for modification C:\Windows\SysWOW64\Igkhjdde.exe Idmlniea.exe File created C:\Windows\SysWOW64\Kgdcgk32.dll Dfbqgldn.exe File created C:\Windows\SysWOW64\Ccboal32.dll Geloanjg.exe File created C:\Windows\SysWOW64\Cjoohi32.dll Hhaanh32.exe File opened for modification C:\Windows\SysWOW64\Ifpelq32.exe Igmepdbc.exe File created C:\Windows\SysWOW64\Mneaacno.exe Mldeik32.exe File opened for modification C:\Windows\SysWOW64\Nhbciaki.exe Nbhkmg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5584 5560 WerFault.exe 475 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiiahgjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haemloni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggeokoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjcjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdckobhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojblbgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjhicpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifaajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcdpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbqgldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpdhifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boleejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaoppja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaipghcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoaill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhmlgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einlmkhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkicbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgibdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coafko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchhqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejfmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkibjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geloanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djicmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcohahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpacogjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqjhcfpc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghjkpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjqcd32.dll" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epfhde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjcjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmefaan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idmlniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiokholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgibdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbqn32.dll" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llolnffe.dll" Bjngbihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephdjeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblfonpc.dll" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nobndj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiahnnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcmlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpdjjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknbgb32.dll" Ahqkocmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjhmaca.dll" Dmjlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhina32.dll" Gpogiglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmhcigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkhml32.dll" Lmhbgpia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peeoidik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiqibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mldeik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhjamcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hljaigmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcngamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkcep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhdpnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddcbgfn.dll" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdgjcl32.dll" Egfjdchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eannmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlecinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjke32.dll" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjoohi32.dll" Hhaanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpboinpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oighcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbqgldn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeoeclek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doqkpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcofica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhcopq.dll" Ecadddjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldkdckff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2828 1708 2b8367f913adb5601245d9185407ada0N.exe 30 PID 1708 wrote to memory of 2828 1708 2b8367f913adb5601245d9185407ada0N.exe 30 PID 1708 wrote to memory of 2828 1708 2b8367f913adb5601245d9185407ada0N.exe 30 PID 1708 wrote to memory of 2828 1708 2b8367f913adb5601245d9185407ada0N.exe 30 PID 2828 wrote to memory of 2688 2828 Kdbepm32.exe 31 PID 2828 wrote to memory of 2688 2828 Kdbepm32.exe 31 PID 2828 wrote to memory of 2688 2828 Kdbepm32.exe 31 PID 2828 wrote to memory of 2688 2828 Kdbepm32.exe 31 PID 2688 wrote to memory of 2816 2688 Kbhbai32.exe 32 PID 2688 wrote to memory of 2816 2688 Kbhbai32.exe 32 PID 2688 wrote to memory of 2816 2688 Kbhbai32.exe 32 PID 2688 wrote to memory of 2816 2688 Kbhbai32.exe 32 PID 2816 wrote to memory of 1488 2816 Lplbjm32.exe 33 PID 2816 wrote to memory of 1488 2816 Lplbjm32.exe 33 PID 2816 wrote to memory of 1488 2816 Lplbjm32.exe 33 PID 2816 wrote to memory of 1488 2816 Lplbjm32.exe 33 PID 1488 wrote to memory of 2460 1488 Lmpcca32.exe 34 PID 1488 wrote to memory of 2460 1488 Lmpcca32.exe 34 PID 1488 wrote to memory of 2460 1488 Lmpcca32.exe 34 PID 1488 wrote to memory of 2460 1488 Lmpcca32.exe 34 PID 2460 wrote to memory of 1348 2460 Lghgmg32.exe 35 PID 2460 wrote to memory of 1348 2460 Lghgmg32.exe 35 PID 2460 wrote to memory of 1348 2460 Lghgmg32.exe 35 PID 2460 wrote to memory of 1348 2460 Lghgmg32.exe 35 PID 1348 wrote to memory of 1912 1348 Lcohahpn.exe 36 PID 1348 wrote to memory of 1912 1348 Lcohahpn.exe 36 PID 1348 wrote to memory of 1912 1348 Lcohahpn.exe 36 PID 1348 wrote to memory of 1912 1348 Lcohahpn.exe 36 PID 1912 wrote to memory of 1020 1912 Lofifi32.exe 37 PID 1912 wrote to memory of 1020 1912 Lofifi32.exe 37 PID 1912 wrote to memory of 1020 1912 Lofifi32.exe 37 PID 1912 wrote to memory of 1020 1912 Lofifi32.exe 37 PID 1020 wrote to memory of 2812 1020 Lhnmoo32.exe 38 PID 1020 wrote to memory of 2812 1020 Lhnmoo32.exe 38 PID 1020 wrote to memory of 2812 1020 Lhnmoo32.exe 38 PID 1020 wrote to memory of 2812 1020 Lhnmoo32.exe 38 PID 2812 wrote to memory of 2080 2812 Lafahdcc.exe 39 PID 2812 wrote to memory of 2080 2812 Lafahdcc.exe 39 PID 2812 wrote to memory of 2080 2812 Lafahdcc.exe 39 PID 2812 wrote to memory of 2080 2812 Lafahdcc.exe 39 PID 2080 wrote to memory of 596 2080 Mainndaq.exe 40 PID 2080 wrote to memory of 596 2080 Mainndaq.exe 40 PID 2080 wrote to memory of 596 2080 Mainndaq.exe 40 PID 2080 wrote to memory of 596 2080 Mainndaq.exe 40 PID 596 wrote to memory of 2380 596 Mjdcbf32.exe 41 PID 596 wrote to memory of 2380 596 Mjdcbf32.exe 41 PID 596 wrote to memory of 2380 596 Mjdcbf32.exe 41 PID 596 wrote to memory of 2380 596 Mjdcbf32.exe 41 PID 2380 wrote to memory of 2392 2380 Mjfphf32.exe 42 PID 2380 wrote to memory of 2392 2380 Mjfphf32.exe 42 PID 2380 wrote to memory of 2392 2380 Mjfphf32.exe 42 PID 2380 wrote to memory of 2392 2380 Mjfphf32.exe 42 PID 2392 wrote to memory of 1048 2392 Mgjpaj32.exe 43 PID 2392 wrote to memory of 1048 2392 Mgjpaj32.exe 43 PID 2392 wrote to memory of 1048 2392 Mgjpaj32.exe 43 PID 2392 wrote to memory of 1048 2392 Mgjpaj32.exe 43 PID 1048 wrote to memory of 1916 1048 Moeeelhn.exe 44 PID 1048 wrote to memory of 1916 1048 Moeeelhn.exe 44 PID 1048 wrote to memory of 1916 1048 Moeeelhn.exe 44 PID 1048 wrote to memory of 1916 1048 Moeeelhn.exe 44 PID 1916 wrote to memory of 2456 1916 Mlieoqgg.exe 45 PID 1916 wrote to memory of 2456 1916 Mlieoqgg.exe 45 PID 1916 wrote to memory of 2456 1916 Mlieoqgg.exe 45 PID 1916 wrote to memory of 2456 1916 Mlieoqgg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b8367f913adb5601245d9185407ada0N.exe"C:\Users\Admin\AppData\Local\Temp\2b8367f913adb5601245d9185407ada0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Lafahdcc.exeC:\Windows\system32\Lafahdcc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe33⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe36⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe38⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe39⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe41⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe42⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe45⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe47⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe48⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe49⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe50⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe51⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe56⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe59⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe60⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe61⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe63⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:608 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe65⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe66⤵PID:2640
-
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe67⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe69⤵PID:1632
-
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe70⤵PID:3028
-
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe71⤵PID:2676
-
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe73⤵PID:636
-
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe74⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe75⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe77⤵PID:1140
-
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe78⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe80⤵
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe81⤵PID:960
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe82⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe85⤵PID:2480
-
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe89⤵PID:2184
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe90⤵PID:2288
-
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe91⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe92⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe93⤵PID:2412
-
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe94⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe95⤵PID:1692
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe96⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe97⤵PID:1584
-
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe98⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe100⤵PID:2328
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe101⤵PID:1604
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe102⤵PID:2716
-
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe103⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe104⤵PID:2228
-
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe105⤵PID:2068
-
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe107⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe108⤵PID:2332
-
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe111⤵PID:1836
-
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe112⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe113⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe114⤵PID:2724
-
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe116⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe118⤵PID:1116
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe120⤵PID:2476
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe121⤵
- Modifies registry class
PID:2532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-