Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 22:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eccdb5ed371a7dad16b5ca83475d0290N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
eccdb5ed371a7dad16b5ca83475d0290N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
eccdb5ed371a7dad16b5ca83475d0290N.exe
-
Size
96KB
-
MD5
eccdb5ed371a7dad16b5ca83475d0290
-
SHA1
15254ba510c86a8c8c1e81477f4d7c5585a71a4b
-
SHA256
be818fe441e0934a000594d2df66de2598929108c763d1c0bef1b4aba8c431aa
-
SHA512
3874a8c2259e7791ef1a84f261267f7758b5c6cffccf2547123484797d12b0a6bafd22b6f2767654259859ef3caa677d6a175b19a281a82c37193b998732b13f
-
SSDEEP
1536:BK+hy497dkdHO0wX6hE6/NTz7cw2Lk1wPXuhiTMuZXGTIVefVDkryyAyqX:BByk7dkdHjwqhE6/tzSawPXuhuXGQmVT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjpdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpibghg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjaieoko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbqflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnnfllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnchg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklnmgic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkpgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjcfjoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcijmhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgoaiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgndnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccinnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabppo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefboabg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fianpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjikh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqonp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opicgenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phphgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmaoem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbaafak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmikkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcppmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefboabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfjme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaiobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enokidgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhlhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimedaoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepeep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpgai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blklfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaeneno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foacmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddbfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmiahlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhiglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbqmhd.exe -
Executes dropped EXE 64 IoCs
pid Process 2836 Nnndin32.exe 2924 Nfeljlqh.exe 2900 Ngfhbd32.exe 2984 Odjikh32.exe 2760 Okdahbmm.exe 452 Oemfahcn.exe 1116 Ogkbmcba.exe 932 Omhjejai.exe 2136 Oeobfgak.exe 2108 Ofqonp32.exe 2548 Oafclh32.exe 1692 Opicgenj.exe 2868 Ofcldoef.exe 1960 Ofehiocd.exe 1572 Pmoqfi32.exe 2476 Plbaafak.exe 1180 Pejejkhl.exe 2484 Pppihdha.exe 2872 Pnbjca32.exe 2196 Pihnqj32.exe 952 Plfjme32.exe 1772 Phmkaf32.exe 612 Pngcnpkg.exe 2420 Pafpjljk.exe 2336 Phphgf32.exe 2776 Pnjpdphd.exe 2756 Qdfhlggl.exe 2684 Qpmiahlp.exe 2824 Qhdabemb.exe 2960 Qfganb32.exe 2532 Appfggjm.exe 2188 Alfflhpa.exe 2016 Adnomfqc.exe 2460 Aeokdn32.exe 3060 Amfcfk32.exe 2848 Aeahjn32.exe 2100 Alkpgh32.exe 2992 Aioppl32.exe 1916 Almmlg32.exe 1680 Aefaemqj.exe 1424 Blpibghg.exe 2220 Bnafjo32.exe 2472 Bambjnfn.exe 1608 Bgijbede.exe 3004 Baoopndk.exe 596 Bdmklico.exe 2040 Bhiglh32.exe 2036 Bglghdbc.exe 2280 Bnfodojp.exe 2288 Bdpgai32.exe 2968 Bgndnd32.exe 2828 Bjlpjp32.exe 2712 Blklfk32.exe 2724 Bcedbefd.exe 1892 Bfcqoqeh.exe 2156 Bjomoo32.exe 1896 Blmikkle.exe 552 Colegflh.exe 3064 Cgcmiclk.exe 1860 Cjaieoko.exe 1256 Cpkaai32.exe 2104 Ccinnd32.exe 2164 Cjcfjoil.exe 1652 Chfffk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2584 eccdb5ed371a7dad16b5ca83475d0290N.exe 2584 eccdb5ed371a7dad16b5ca83475d0290N.exe 2836 Nnndin32.exe 2836 Nnndin32.exe 2924 Nfeljlqh.exe 2924 Nfeljlqh.exe 2900 Ngfhbd32.exe 2900 Ngfhbd32.exe 2984 Odjikh32.exe 2984 Odjikh32.exe 2760 Okdahbmm.exe 2760 Okdahbmm.exe 452 Oemfahcn.exe 452 Oemfahcn.exe 1116 Ogkbmcba.exe 1116 Ogkbmcba.exe 932 Omhjejai.exe 932 Omhjejai.exe 2136 Oeobfgak.exe 2136 Oeobfgak.exe 2108 Ofqonp32.exe 2108 Ofqonp32.exe 2548 Oafclh32.exe 2548 Oafclh32.exe 1692 Opicgenj.exe 1692 Opicgenj.exe 2868 Ofcldoef.exe 2868 Ofcldoef.exe 1960 Ofehiocd.exe 1960 Ofehiocd.exe 1572 Pmoqfi32.exe 1572 Pmoqfi32.exe 2476 Plbaafak.exe 2476 Plbaafak.exe 1180 Pejejkhl.exe 1180 Pejejkhl.exe 2484 Pppihdha.exe 2484 Pppihdha.exe 2872 Pnbjca32.exe 2872 Pnbjca32.exe 2196 Pihnqj32.exe 2196 Pihnqj32.exe 952 Plfjme32.exe 952 Plfjme32.exe 1772 Phmkaf32.exe 1772 Phmkaf32.exe 612 Pngcnpkg.exe 612 Pngcnpkg.exe 2420 Pafpjljk.exe 2420 Pafpjljk.exe 2336 Phphgf32.exe 2336 Phphgf32.exe 2776 Pnjpdphd.exe 2776 Pnjpdphd.exe 2756 Qdfhlggl.exe 2756 Qdfhlggl.exe 2684 Qpmiahlp.exe 2684 Qpmiahlp.exe 2824 Qhdabemb.exe 2824 Qhdabemb.exe 2960 Qfganb32.exe 2960 Qfganb32.exe 2532 Appfggjm.exe 2532 Appfggjm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Amfcfk32.exe Aeokdn32.exe File created C:\Windows\SysWOW64\Cjcfjoil.exe Ccinnd32.exe File opened for modification C:\Windows\SysWOW64\Dqknqleg.exe Dmobpn32.exe File opened for modification C:\Windows\SysWOW64\Eibbqmhd.exe Ebhjdc32.exe File created C:\Windows\SysWOW64\Enokidgl.exe Ejcohe32.exe File created C:\Windows\SysWOW64\Fabppo32.exe Ejhhcdjm.exe File opened for modification C:\Windows\SysWOW64\Ghpngkhm.exe Gddbfm32.exe File opened for modification C:\Windows\SysWOW64\Giakoc32.exe Ghpngkhm.exe File opened for modification C:\Windows\SysWOW64\Faopib32.exe Foacmg32.exe File opened for modification C:\Windows\SysWOW64\Ofqonp32.exe Oeobfgak.exe File opened for modification C:\Windows\SysWOW64\Bdpgai32.exe Bnfodojp.exe File created C:\Windows\SysWOW64\Cbokoa32.exe Copobe32.exe File created C:\Windows\SysWOW64\Foacmg32.exe Fhgkqmph.exe File created C:\Windows\SysWOW64\Gkiiie32.dll Gklnmgic.exe File created C:\Windows\SysWOW64\Oahfnj32.dll Plbaafak.exe File created C:\Windows\SysWOW64\Fgmncb32.dll Blpibghg.exe File created C:\Windows\SysWOW64\Emkggfkj.dll Bnafjo32.exe File created C:\Windows\SysWOW64\Oeiakl32.dll Bglghdbc.exe File opened for modification C:\Windows\SysWOW64\Blklfk32.exe Bjlpjp32.exe File created C:\Windows\SysWOW64\Djoinbpm.exe Dklibf32.exe File created C:\Windows\SysWOW64\Djfooa32.exe Dggcbf32.exe File created C:\Windows\SysWOW64\Dglmdppi.dll Djaedbnj.exe File created C:\Windows\SysWOW64\Dcnchg32.exe Dmdkkm32.exe File opened for modification C:\Windows\SysWOW64\Dpedmhfi.exe Diklpn32.exe File created C:\Windows\SysWOW64\Kjidobcm.dll Phphgf32.exe File created C:\Windows\SysWOW64\Kkmenq32.dll Bhiglh32.exe File created C:\Windows\SysWOW64\Lqicio32.dll Cpkaai32.exe File created C:\Windows\SysWOW64\Logaao32.dll Ehilgikj.exe File created C:\Windows\SysWOW64\Bhiglh32.exe Bdmklico.exe File opened for modification C:\Windows\SysWOW64\Enokidgl.exe Ejcohe32.exe File opened for modification C:\Windows\SysWOW64\Plbaafak.exe Pmoqfi32.exe File opened for modification C:\Windows\SysWOW64\Qhdabemb.exe Qpmiahlp.exe File opened for modification C:\Windows\SysWOW64\Ejcohe32.exe Eheblj32.exe File created C:\Windows\SysWOW64\Anogmi32.dll Almmlg32.exe File created C:\Windows\SysWOW64\Ngcoin32.dll Djoinbpm.exe File created C:\Windows\SysWOW64\Fbjchfaq.exe Fooghg32.exe File opened for modification C:\Windows\SysWOW64\Opicgenj.exe Oafclh32.exe File opened for modification C:\Windows\SysWOW64\Almmlg32.exe Aioppl32.exe File created C:\Windows\SysWOW64\Jngdfa32.dll Ebhjdc32.exe File opened for modification C:\Windows\SysWOW64\Fabppo32.exe Ejhhcdjm.exe File created C:\Windows\SysWOW64\Ebenhifo.dll Oafclh32.exe File opened for modification C:\Windows\SysWOW64\Phmkaf32.exe Plfjme32.exe File created C:\Windows\SysWOW64\Dqknqleg.exe Dmobpn32.exe File opened for modification C:\Windows\SysWOW64\Djfooa32.exe Dggcbf32.exe File created C:\Windows\SysWOW64\Dklibf32.exe Cdbqflae.exe File created C:\Windows\SysWOW64\Epgabhdg.exe Eimien32.exe File created C:\Windows\SysWOW64\Pgjlbh32.dll Foacmg32.exe File created C:\Windows\SysWOW64\Alkpgh32.exe Aeahjn32.exe File opened for modification C:\Windows\SysWOW64\Dgbiggof.exe Dqiakm32.exe File created C:\Windows\SysWOW64\Lcegdl32.dll Dqmkflcd.exe File created C:\Windows\SysWOW64\Ffoihepa.exe Fhlhmi32.exe File created C:\Windows\SysWOW64\Mmogcdag.dll Pmoqfi32.exe File created C:\Windows\SysWOW64\Qpmiahlp.exe Qdfhlggl.exe File created C:\Windows\SysWOW64\Kpmbqj32.dll Cnhhia32.exe File created C:\Windows\SysWOW64\Cdbqflae.exe Cqfdem32.exe File created C:\Windows\SysWOW64\Efaiobkc.exe Enjand32.exe File opened for modification C:\Windows\SysWOW64\Bglghdbc.exe Bhiglh32.exe File opened for modification C:\Windows\SysWOW64\Fdpmljan.exe Fabppo32.exe File created C:\Windows\SysWOW64\Gbkmhded.dll Cgcmiclk.exe File created C:\Windows\SysWOW64\Nnpopj32.dll Dmdkkm32.exe File opened for modification C:\Windows\SysWOW64\Eeameodq.exe Dcppmg32.exe File opened for modification C:\Windows\SysWOW64\Goemhfco.exe Gaamobdf.exe File created C:\Windows\SysWOW64\Jgjojj32.dll Ofqonp32.exe File created C:\Windows\SysWOW64\Gddbfm32.exe Gmkjjbhg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2076 2348 WerFault.exe 173 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmiclk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbagdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeameodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgmak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgdbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnndin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefaemqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfdem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpedmhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnnfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifhkpgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngcnpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appfggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bambjnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibbqmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcijmhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmikkle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djaedbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opicgenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppihdha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafpjljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaieoko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimedaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbokoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phphgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efaiobkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehilgikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccinnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnchg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmknko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcedbefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbiggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmkjjbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjchfaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfhbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoinbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goemhfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmgobfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoqfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpgai32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emgkqnci.dll" Eeameodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjcfjoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglmdppi.dll" Djaedbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pihnqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgoaiml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eekpknlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpngkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkiiie32.dll" Gklnmgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfeljlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdahbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmbqj32.dll" Cnhhia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhldahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibbqmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbjca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeameodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoqfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Appfggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnkj32.dll" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjlfmkh.dll" Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoclfip.dll" Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Appfggjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeahjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnifhcei.dll" Dmobpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffoihepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biamam32.dll" Emdgjpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcbdo32.dll" Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhnndia.dll" Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjffln.dll" Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahibj32.dll" Dqknqleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcqj32.dll" Ffaeneno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnhiihl.dll" Nnndin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngcnpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeggj32.dll" Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjegejfl.dll" Copobe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glclampi.dll" Dgbiggof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimedaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpnlnon.dll" Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcegdl32.dll" Dqmkflcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfganb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqqclmpe.dll" Aeahjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeameodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejeknelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foacmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} eccdb5ed371a7dad16b5ca83475d0290N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfcqoqeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbfaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djaedbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpncg32.dll" Ccinnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcppmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalaioi.dll" Goemhfco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2836 2584 eccdb5ed371a7dad16b5ca83475d0290N.exe 29 PID 2584 wrote to memory of 2836 2584 eccdb5ed371a7dad16b5ca83475d0290N.exe 29 PID 2584 wrote to memory of 2836 2584 eccdb5ed371a7dad16b5ca83475d0290N.exe 29 PID 2584 wrote to memory of 2836 2584 eccdb5ed371a7dad16b5ca83475d0290N.exe 29 PID 2836 wrote to memory of 2924 2836 Nnndin32.exe 30 PID 2836 wrote to memory of 2924 2836 Nnndin32.exe 30 PID 2836 wrote to memory of 2924 2836 Nnndin32.exe 30 PID 2836 wrote to memory of 2924 2836 Nnndin32.exe 30 PID 2924 wrote to memory of 2900 2924 Nfeljlqh.exe 31 PID 2924 wrote to memory of 2900 2924 Nfeljlqh.exe 31 PID 2924 wrote to memory of 2900 2924 Nfeljlqh.exe 31 PID 2924 wrote to memory of 2900 2924 Nfeljlqh.exe 31 PID 2900 wrote to memory of 2984 2900 Ngfhbd32.exe 32 PID 2900 wrote to memory of 2984 2900 Ngfhbd32.exe 32 PID 2900 wrote to memory of 2984 2900 Ngfhbd32.exe 32 PID 2900 wrote to memory of 2984 2900 Ngfhbd32.exe 32 PID 2984 wrote to memory of 2760 2984 Odjikh32.exe 33 PID 2984 wrote to memory of 2760 2984 Odjikh32.exe 33 PID 2984 wrote to memory of 2760 2984 Odjikh32.exe 33 PID 2984 wrote to memory of 2760 2984 Odjikh32.exe 33 PID 2760 wrote to memory of 452 2760 Okdahbmm.exe 34 PID 2760 wrote to memory of 452 2760 Okdahbmm.exe 34 PID 2760 wrote to memory of 452 2760 Okdahbmm.exe 34 PID 2760 wrote to memory of 452 2760 Okdahbmm.exe 34 PID 452 wrote to memory of 1116 452 Oemfahcn.exe 35 PID 452 wrote to memory of 1116 452 Oemfahcn.exe 35 PID 452 wrote to memory of 1116 452 Oemfahcn.exe 35 PID 452 wrote to memory of 1116 452 Oemfahcn.exe 35 PID 1116 wrote to memory of 932 1116 Ogkbmcba.exe 36 PID 1116 wrote to memory of 932 1116 Ogkbmcba.exe 36 PID 1116 wrote to memory of 932 1116 Ogkbmcba.exe 36 PID 1116 wrote to memory of 932 1116 Ogkbmcba.exe 36 PID 932 wrote to memory of 2136 932 Omhjejai.exe 37 PID 932 wrote to memory of 2136 932 Omhjejai.exe 37 PID 932 wrote to memory of 2136 932 Omhjejai.exe 37 PID 932 wrote to memory of 2136 932 Omhjejai.exe 37 PID 2136 wrote to memory of 2108 2136 Oeobfgak.exe 38 PID 2136 wrote to memory of 2108 2136 Oeobfgak.exe 38 PID 2136 wrote to memory of 2108 2136 Oeobfgak.exe 38 PID 2136 wrote to memory of 2108 2136 Oeobfgak.exe 38 PID 2108 wrote to memory of 2548 2108 Ofqonp32.exe 39 PID 2108 wrote to memory of 2548 2108 Ofqonp32.exe 39 PID 2108 wrote to memory of 2548 2108 Ofqonp32.exe 39 PID 2108 wrote to memory of 2548 2108 Ofqonp32.exe 39 PID 2548 wrote to memory of 1692 2548 Oafclh32.exe 40 PID 2548 wrote to memory of 1692 2548 Oafclh32.exe 40 PID 2548 wrote to memory of 1692 2548 Oafclh32.exe 40 PID 2548 wrote to memory of 1692 2548 Oafclh32.exe 40 PID 1692 wrote to memory of 2868 1692 Opicgenj.exe 41 PID 1692 wrote to memory of 2868 1692 Opicgenj.exe 41 PID 1692 wrote to memory of 2868 1692 Opicgenj.exe 41 PID 1692 wrote to memory of 2868 1692 Opicgenj.exe 41 PID 2868 wrote to memory of 1960 2868 Ofcldoef.exe 42 PID 2868 wrote to memory of 1960 2868 Ofcldoef.exe 42 PID 2868 wrote to memory of 1960 2868 Ofcldoef.exe 42 PID 2868 wrote to memory of 1960 2868 Ofcldoef.exe 42 PID 1960 wrote to memory of 1572 1960 Ofehiocd.exe 43 PID 1960 wrote to memory of 1572 1960 Ofehiocd.exe 43 PID 1960 wrote to memory of 1572 1960 Ofehiocd.exe 43 PID 1960 wrote to memory of 1572 1960 Ofehiocd.exe 43 PID 1572 wrote to memory of 2476 1572 Pmoqfi32.exe 44 PID 1572 wrote to memory of 2476 1572 Pmoqfi32.exe 44 PID 1572 wrote to memory of 2476 1572 Pmoqfi32.exe 44 PID 1572 wrote to memory of 2476 1572 Pmoqfi32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\eccdb5ed371a7dad16b5ca83475d0290N.exe"C:\Users\Admin\AppData\Local\Temp\eccdb5ed371a7dad16b5ca83475d0290N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Nnndin32.exeC:\Windows\system32\Nnndin32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Opicgenj.exeC:\Windows\system32\Opicgenj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Alfflhpa.exeC:\Windows\system32\Alfflhpa.exe33⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe34⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Aeokdn32.exeC:\Windows\system32\Aeokdn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Aeahjn32.exeC:\Windows\system32\Aeahjn32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Alkpgh32.exeC:\Windows\system32\Alkpgh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Aioppl32.exeC:\Windows\system32\Aioppl32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Aefaemqj.exeC:\Windows\system32\Aefaemqj.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe45⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Baoopndk.exeC:\Windows\system32\Baoopndk.exe46⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Bhiglh32.exeC:\Windows\system32\Bhiglh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Blklfk32.exeC:\Windows\system32\Blklfk32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Bcedbefd.exeC:\Windows\system32\Bcedbefd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Bjomoo32.exeC:\Windows\system32\Bjomoo32.exe57⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Cgcmiclk.exeC:\Windows\system32\Cgcmiclk.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Cpkaai32.exeC:\Windows\system32\Cpkaai32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Ccinnd32.exeC:\Windows\system32\Ccinnd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Chfffk32.exeC:\Windows\system32\Chfffk32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe67⤵
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Cdmgkl32.exeC:\Windows\system32\Cdmgkl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe70⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Cdpdpl32.exeC:\Windows\system32\Cdpdpl32.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe73⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe81⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe85⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe91⤵PID:1152
-
C:\Windows\SysWOW64\Dmdkkm32.exeC:\Windows\system32\Dmdkkm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Djhldahb.exeC:\Windows\system32\Djhldahb.exe94⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe95⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe96⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Eimien32.exeC:\Windows\system32\Eimien32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe101⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Efaiobkc.exeC:\Windows\system32\Efaiobkc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Eipekmjg.exeC:\Windows\system32\Eipekmjg.exe103⤵PID:1060
-
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe104⤵PID:2856
-
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Eibbqmhd.exeC:\Windows\system32\Eibbqmhd.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe107⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Ejcohe32.exeC:\Windows\system32\Ejcohe32.exe108⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Eeicenni.exeC:\Windows\system32\Eeicenni.exe110⤵PID:928
-
C:\Windows\SysWOW64\Ehgoaiml.exeC:\Windows\system32\Ehgoaiml.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe112⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe113⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe114⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Ejhhcdjm.exeC:\Windows\system32\Ejhhcdjm.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe118⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe120⤵
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Fimedaoe.exeC:\Windows\system32\Fimedaoe.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-