Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe
-
Size
357KB
-
MD5
280cfc5b47b5e9e9d458f4ce85b7b1f0
-
SHA1
e18ca966a3ea84e19e090bca48d752c4d8485284
-
SHA256
eaefefbe3485a06b976a62f4bc5d9cdd2876bf8dcfb66fc900e86dbca4e39050
-
SHA512
2a8f1db3f0f264438e9ec2f2cac090d5875f897da0a762a6253657fe91320a6bfde44b9d71426520be7477869b90583302073f456365982a0a7fcb20168456eb
-
SSDEEP
6144:Osrxq4az5NEQ1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXFOk:vU4az5N7ZoXpKtCe1eehil6ZR5ZrQegO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlgaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeilbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkafib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edhmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leaallcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnfhfmhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbneekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akhndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdnmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanfgofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjljpjjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flbehbqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmhfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgenh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfcik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhhjcmpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbkabdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlghhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkomepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kemgqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqlhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kloqiijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhnjclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlcgmpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjblboj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklaepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppogok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkccob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjcnfcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpedghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjblboj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fialggcl.exe -
Executes dropped EXE 64 IoCs
pid Process 2252 Pcagkmaj.exe 2796 Ppegdapd.exe 2880 Pnihneon.exe 1240 Adncoc32.exe 840 Aklefm32.exe 2628 Bjdnmi32.exe 2408 Bikhce32.exe 3028 Bklaepbn.exe 2712 Cfkkam32.exe 2128 Cfmhfm32.exe 3016 Degobhjg.exe 2280 Dbkolmia.exe 2484 Ehonebqq.exe 2240 Edenjc32.exe 1880 Eekdmk32.exe 2292 Fdcncg32.exe 1068 Fkapkq32.exe 1568 Fkdlaplh.exe 1384 Gmgenh32.exe 1076 Ggmjkapi.exe 2596 Gojkecka.exe 1756 Hqbnnj32.exe 2112 Hgobpd32.exe 3040 Hjmolp32.exe 1536 Hmnhnk32.exe 2736 Ilceog32.exe 2748 Ilfadg32.exe 3004 Iijbnkne.exe 2900 Ibdclp32.exe 2864 Iokdaa32.exe 676 Jpomnilc.exe 2072 Jigagocd.exe 1020 Jmggcmgg.exe 2972 Jeblgodb.exe 2820 Kloqiijm.exe 2964 Kanfgofa.exe 1712 Kneflplf.exe 944 Kjlgaa32.exe 2068 Lllpclnk.exe 2316 Lomidgkl.exe 2828 Llainlje.exe 472 Lhhjcmpj.exe 288 Lbpolb32.exe 3048 Llfcik32.exe 2340 Mbbkabdh.exe 2376 Mkkpjg32.exe 3012 Mgaqohql.exe 3068 Mdeaim32.exe 612 Mjbiac32.exe 2872 Mcknjidn.exe 1732 Mpaoojjb.exe 2792 Mjgclcjh.exe 2756 Nilpmo32.exe 2272 Nbddfe32.exe 980 Nmjicn32.exe 2912 Nbgakd32.exe 1708 Nicfnn32.exe 2416 Nbljfdoh.exe 2200 Ohhcokmp.exe 2204 Oaaghp32.exe 2464 Onehadbj.exe 2372 Ojlife32.exe 1884 Oddmokoo.exe 568 Opkndldc.exe -
Loads dropped DLL 64 IoCs
pid Process 708 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe 708 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe 2252 Pcagkmaj.exe 2252 Pcagkmaj.exe 2796 Ppegdapd.exe 2796 Ppegdapd.exe 2880 Pnihneon.exe 2880 Pnihneon.exe 1240 Adncoc32.exe 1240 Adncoc32.exe 840 Aklefm32.exe 840 Aklefm32.exe 2628 Bjdnmi32.exe 2628 Bjdnmi32.exe 2408 Bikhce32.exe 2408 Bikhce32.exe 3028 Bklaepbn.exe 3028 Bklaepbn.exe 2712 Cfkkam32.exe 2712 Cfkkam32.exe 2128 Cfmhfm32.exe 2128 Cfmhfm32.exe 3016 Degobhjg.exe 3016 Degobhjg.exe 2280 Dbkolmia.exe 2280 Dbkolmia.exe 2484 Ehonebqq.exe 2484 Ehonebqq.exe 2240 Edenjc32.exe 2240 Edenjc32.exe 1880 Eekdmk32.exe 1880 Eekdmk32.exe 2292 Fdcncg32.exe 2292 Fdcncg32.exe 1068 Fkapkq32.exe 1068 Fkapkq32.exe 1568 Fkdlaplh.exe 1568 Fkdlaplh.exe 1384 Gmgenh32.exe 1384 Gmgenh32.exe 1076 Ggmjkapi.exe 1076 Ggmjkapi.exe 2596 Gojkecka.exe 2596 Gojkecka.exe 1756 Hqbnnj32.exe 1756 Hqbnnj32.exe 2112 Hgobpd32.exe 2112 Hgobpd32.exe 3040 Hjmolp32.exe 3040 Hjmolp32.exe 1536 Hmnhnk32.exe 1536 Hmnhnk32.exe 2736 Ilceog32.exe 2736 Ilceog32.exe 2748 Ilfadg32.exe 2748 Ilfadg32.exe 3004 Iijbnkne.exe 3004 Iijbnkne.exe 2900 Ibdclp32.exe 2900 Ibdclp32.exe 2864 Iokdaa32.exe 2864 Iokdaa32.exe 676 Jpomnilc.exe 676 Jpomnilc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmmmoqep.dll Jiaaaicm.exe File created C:\Windows\SysWOW64\Limhol32.dll Mlnbmikh.exe File created C:\Windows\SysWOW64\Jligibpk.dll Opqdcgib.exe File created C:\Windows\SysWOW64\Ehonebqq.exe Dbkolmia.exe File created C:\Windows\SysWOW64\Aagfffbo.exe Afqeaemk.exe File opened for modification C:\Windows\SysWOW64\Gdjblboj.exe Ghcbga32.exe File created C:\Windows\SysWOW64\Pihmimaj.dll Hgobpd32.exe File opened for modification C:\Windows\SysWOW64\Hnomkloi.exe Hkpaoape.exe File created C:\Windows\SysWOW64\Ppogok32.exe Pieobaiq.exe File opened for modification C:\Windows\SysWOW64\Fimclh32.exe Emfbgg32.exe File opened for modification C:\Windows\SysWOW64\Gocnjn32.exe Flbehbqm.exe File opened for modification C:\Windows\SysWOW64\Hnlqemal.exe Hiphmf32.exe File created C:\Windows\SysWOW64\Kmpfgklo.exe Kdgane32.exe File created C:\Windows\SysWOW64\Ofmiea32.exe Oenmkngi.exe File opened for modification C:\Windows\SysWOW64\Edenjc32.exe Ehonebqq.exe File opened for modification C:\Windows\SysWOW64\Hjmolp32.exe Hgobpd32.exe File opened for modification C:\Windows\SysWOW64\Homfboco.exe Hcfenn32.exe File opened for modification C:\Windows\SysWOW64\Mjbiac32.exe Mdeaim32.exe File created C:\Windows\SysWOW64\Jlbjcd32.exe Jiaaaicm.exe File created C:\Windows\SysWOW64\Cofohkgi.exe Cocbbk32.exe File created C:\Windows\SysWOW64\Lpeeon32.dll Jigagocd.exe File created C:\Windows\SysWOW64\Llfcik32.exe Lbpolb32.exe File created C:\Windows\SysWOW64\Kgggld32.dll Ncjcnfcn.exe File created C:\Windows\SysWOW64\Lgqfpqja.dll Ceoagcld.exe File created C:\Windows\SysWOW64\Gmpoce32.dll Kblooa32.exe File created C:\Windows\SysWOW64\Pkegca32.dll Bdbkaoce.exe File opened for modification C:\Windows\SysWOW64\Eenckc32.exe Ebmjihqn.exe File opened for modification C:\Windows\SysWOW64\Iokdaa32.exe Ibdclp32.exe File created C:\Windows\SysWOW64\Afqeaemk.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Akjjifji.exe Akhndf32.exe File created C:\Windows\SysWOW64\Feedfo32.dll Kkomepon.exe File created C:\Windows\SysWOW64\Mcendc32.exe Mgomoboc.exe File created C:\Windows\SysWOW64\Moonqphf.dll Nbddfe32.exe File opened for modification C:\Windows\SysWOW64\Fdemap32.exe Fkmhij32.exe File created C:\Windows\SysWOW64\Epochndp.dll Dbneekan.exe File opened for modification C:\Windows\SysWOW64\Hcnfjpib.exe Hggeeo32.exe File opened for modification C:\Windows\SysWOW64\Hbccklmj.exe Hikobfgj.exe File created C:\Windows\SysWOW64\Akhndf32.exe Akfaof32.exe File created C:\Windows\SysWOW64\Aaplgfio.dll Llainlje.exe File created C:\Windows\SysWOW64\Bhocnhce.dll Pieobaiq.exe File opened for modification C:\Windows\SysWOW64\Gmgenh32.exe Fkdlaplh.exe File opened for modification C:\Windows\SysWOW64\Aagfffbo.exe Afqeaemk.exe File opened for modification C:\Windows\SysWOW64\Dnmhogjo.exe Dippfplg.exe File created C:\Windows\SysWOW64\Hjmolp32.exe Hgobpd32.exe File created C:\Windows\SysWOW64\Iknkfi32.dll Ndpmbjbk.exe File created C:\Windows\SysWOW64\Cqlhlo32.exe Bgcdcjpf.exe File created C:\Windows\SysWOW64\Kneflplf.exe Kanfgofa.exe File opened for modification C:\Windows\SysWOW64\Fcjqpm32.exe Fialggcl.exe File created C:\Windows\SysWOW64\Flbehbqm.exe Fcjqpm32.exe File created C:\Windows\SysWOW64\Fmflaaok.dll Dbkolmia.exe File opened for modification C:\Windows\SysWOW64\Ekeiel32.exe Eehqme32.exe File created C:\Windows\SysWOW64\Aggkdlod.exe Almjcobe.exe File opened for modification C:\Windows\SysWOW64\Ehdpcahk.exe Elnonp32.exe File created C:\Windows\SysWOW64\Lcqdidim.exe Ljhppo32.exe File created C:\Windows\SysWOW64\Ndpmbjbk.exe Ndnplk32.exe File created C:\Windows\SysWOW64\Dcecef32.dll Akjjifji.exe File created C:\Windows\SysWOW64\Djgbkf32.dll Apjpglfn.exe File created C:\Windows\SysWOW64\Ppegdapd.exe Pcagkmaj.exe File opened for modification C:\Windows\SysWOW64\Nbgakd32.exe Nmjicn32.exe File created C:\Windows\SysWOW64\Popkeh32.exe Oegflcbj.exe File created C:\Windows\SysWOW64\Oncaei32.dll Pbaide32.exe File opened for modification C:\Windows\SysWOW64\Jpomnilc.exe Iokdaa32.exe File created C:\Windows\SysWOW64\Lhhjcmpj.exe Llainlje.exe File created C:\Windows\SysWOW64\Folhio32.exe Feccqime.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3544 3524 WerFault.exe 250 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeblgodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilceog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfjpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbkaoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmgbbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hggeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kloqiijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imdjlida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklaepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nicfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onehadbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjblboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqneaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agchdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcncg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfadg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmapna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfegjknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbllph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqeaemk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpomnilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fialggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnomkloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdloab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmbjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmggcmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpfgklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjqifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llainlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbkabdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbepplkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlqpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahobdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiphmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojkecka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbljogc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkomepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcqdidim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pipklo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjlnacb.dll" Hkpaoape.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfbchek.dll" Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpccf32.dll" Hbccklmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phhhchlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgobpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkndldc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbaide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kneflplf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjdqfajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoaabhm.dll" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcllmmbh.dll" Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" Flbehbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbbpp32.dll" Pipklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngobfm32.dll" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhhjcmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeon32.dll" Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjmoh32.dll" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbaide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmginio.dll" Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnmhogjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkablj32.dll" Jeblgodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakqdpmg.dll" Emfbgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdbhcfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdgane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdgane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kanfgofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddoj32.dll" Oegflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgbkf32.dll" Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfegjknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplped32.dll" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnomkloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgomoboc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhkok32.dll" Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akhndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilceog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmocha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghcbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmnhnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjoqmd32.dll" Elnonp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 2252 708 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe 29 PID 708 wrote to memory of 2252 708 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe 29 PID 708 wrote to memory of 2252 708 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe 29 PID 708 wrote to memory of 2252 708 280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe 29 PID 2252 wrote to memory of 2796 2252 Pcagkmaj.exe 30 PID 2252 wrote to memory of 2796 2252 Pcagkmaj.exe 30 PID 2252 wrote to memory of 2796 2252 Pcagkmaj.exe 30 PID 2252 wrote to memory of 2796 2252 Pcagkmaj.exe 30 PID 2796 wrote to memory of 2880 2796 Ppegdapd.exe 31 PID 2796 wrote to memory of 2880 2796 Ppegdapd.exe 31 PID 2796 wrote to memory of 2880 2796 Ppegdapd.exe 31 PID 2796 wrote to memory of 2880 2796 Ppegdapd.exe 31 PID 2880 wrote to memory of 1240 2880 Pnihneon.exe 32 PID 2880 wrote to memory of 1240 2880 Pnihneon.exe 32 PID 2880 wrote to memory of 1240 2880 Pnihneon.exe 32 PID 2880 wrote to memory of 1240 2880 Pnihneon.exe 32 PID 1240 wrote to memory of 840 1240 Adncoc32.exe 33 PID 1240 wrote to memory of 840 1240 Adncoc32.exe 33 PID 1240 wrote to memory of 840 1240 Adncoc32.exe 33 PID 1240 wrote to memory of 840 1240 Adncoc32.exe 33 PID 840 wrote to memory of 2628 840 Aklefm32.exe 34 PID 840 wrote to memory of 2628 840 Aklefm32.exe 34 PID 840 wrote to memory of 2628 840 Aklefm32.exe 34 PID 840 wrote to memory of 2628 840 Aklefm32.exe 34 PID 2628 wrote to memory of 2408 2628 Bjdnmi32.exe 35 PID 2628 wrote to memory of 2408 2628 Bjdnmi32.exe 35 PID 2628 wrote to memory of 2408 2628 Bjdnmi32.exe 35 PID 2628 wrote to memory of 2408 2628 Bjdnmi32.exe 35 PID 2408 wrote to memory of 3028 2408 Bikhce32.exe 36 PID 2408 wrote to memory of 3028 2408 Bikhce32.exe 36 PID 2408 wrote to memory of 3028 2408 Bikhce32.exe 36 PID 2408 wrote to memory of 3028 2408 Bikhce32.exe 36 PID 3028 wrote to memory of 2712 3028 Bklaepbn.exe 37 PID 3028 wrote to memory of 2712 3028 Bklaepbn.exe 37 PID 3028 wrote to memory of 2712 3028 Bklaepbn.exe 37 PID 3028 wrote to memory of 2712 3028 Bklaepbn.exe 37 PID 2712 wrote to memory of 2128 2712 Cfkkam32.exe 38 PID 2712 wrote to memory of 2128 2712 Cfkkam32.exe 38 PID 2712 wrote to memory of 2128 2712 Cfkkam32.exe 38 PID 2712 wrote to memory of 2128 2712 Cfkkam32.exe 38 PID 2128 wrote to memory of 3016 2128 Cfmhfm32.exe 39 PID 2128 wrote to memory of 3016 2128 Cfmhfm32.exe 39 PID 2128 wrote to memory of 3016 2128 Cfmhfm32.exe 39 PID 2128 wrote to memory of 3016 2128 Cfmhfm32.exe 39 PID 3016 wrote to memory of 2280 3016 Degobhjg.exe 40 PID 3016 wrote to memory of 2280 3016 Degobhjg.exe 40 PID 3016 wrote to memory of 2280 3016 Degobhjg.exe 40 PID 3016 wrote to memory of 2280 3016 Degobhjg.exe 40 PID 2280 wrote to memory of 2484 2280 Dbkolmia.exe 41 PID 2280 wrote to memory of 2484 2280 Dbkolmia.exe 41 PID 2280 wrote to memory of 2484 2280 Dbkolmia.exe 41 PID 2280 wrote to memory of 2484 2280 Dbkolmia.exe 41 PID 2484 wrote to memory of 2240 2484 Ehonebqq.exe 42 PID 2484 wrote to memory of 2240 2484 Ehonebqq.exe 42 PID 2484 wrote to memory of 2240 2484 Ehonebqq.exe 42 PID 2484 wrote to memory of 2240 2484 Ehonebqq.exe 42 PID 2240 wrote to memory of 1880 2240 Edenjc32.exe 43 PID 2240 wrote to memory of 1880 2240 Edenjc32.exe 43 PID 2240 wrote to memory of 1880 2240 Edenjc32.exe 43 PID 2240 wrote to memory of 1880 2240 Edenjc32.exe 43 PID 1880 wrote to memory of 2292 1880 Eekdmk32.exe 44 PID 1880 wrote to memory of 2292 1880 Eekdmk32.exe 44 PID 1880 wrote to memory of 2292 1880 Eekdmk32.exe 44 PID 1880 wrote to memory of 2292 1880 Eekdmk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe"C:\Users\Admin\AppData\Local\Temp\280cfc5b47b5e9e9d458f4ce85b7b1f0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Fdcncg32.exeC:\Windows\system32\Fdcncg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:676 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe40⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe47⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe48⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe51⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe52⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe59⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe60⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe61⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe63⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe67⤵PID:920
-
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe68⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe70⤵PID:2892
-
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe72⤵PID:588
-
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe73⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe75⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe76⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe77⤵PID:2608
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe78⤵PID:1468
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe80⤵PID:1264
-
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:108 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe82⤵PID:952
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe83⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1360 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe91⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe93⤵PID:832
-
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe96⤵PID:2232
-
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Elnonp32.exeC:\Windows\system32\Elnonp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe100⤵PID:2584
-
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe101⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Emfbgg32.exeC:\Windows\system32\Emfbgg32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe105⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe106⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe108⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe110⤵PID:2360
-
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe111⤵PID:276
-
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe113⤵PID:1496
-
C:\Windows\SysWOW64\Ggbljogc.exeC:\Windows\system32\Ggbljogc.exe114⤵
- System Location Discovery: System Language Discovery
PID:656 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe115⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe116⤵PID:2676
-
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe118⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe119⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Hbccklmj.exeC:\Windows\system32\Hbccklmj.exe120⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-