Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 11:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe
-
Size
80KB
-
MD5
b0fb8fdc2b1cde6b7fb9f9930df4bec0
-
SHA1
57e638b279a606adb12db7fc82c264c7783236f3
-
SHA256
03c592b407193913b1d67626da3dae558d9fe145bade897ba2473c24630a90af
-
SHA512
318b9274c430e705d76441cdf4529b9a39a55d58edf61c44a74c2dfa1e1b102c7e5ae2d0a85a08e04a6e7c331cf2d5bee36940fe2a7b9b3973b43038ee04820b
-
SSDEEP
1536:wP+eO4DpWdZP1UXFnRG2Onv+pxtNAvoDXoxHyubFeJuqnhCN:wWopWoFXA+pxtgoDiH3bFeJLCN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecploipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmhbplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daacecfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbcbjlmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiffkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emagacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcpgdhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odchbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbafdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpebmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clojhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnihdemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lonpma32.exe -
Executes dropped EXE 64 IoCs
pid Process 2348 Aqjdgmgd.exe 1868 Aciqcifh.exe 2816 Amaelomh.exe 2744 Aggiigmn.exe 2856 Amcbankf.exe 2828 Acnjnh32.exe 2112 Aflfjc32.exe 1132 Aijbfo32.exe 2328 Akiobk32.exe 2680 Bcpgdhpp.exe 2960 Bbbgod32.exe 1080 Beackp32.exe 2104 Bimoloog.exe 2140 Bkklhjnk.exe 1912 Bnihdemo.exe 748 Bfqpecma.exe 316 Becpap32.exe 1400 Biolanld.exe 828 Bkmhnjlh.exe 1960 Boidnh32.exe 656 Bbgqjdce.exe 2580 Bajqfq32.exe 1928 Befmfpbi.exe 1876 Bkpeci32.exe 1944 Bjbeofpp.exe 2796 Bbjmpcab.exe 2720 Bgffhkoj.exe 2740 Bjebdfnn.exe 2824 Bnqned32.exe 2604 Baojapfj.exe 2184 Cjgoje32.exe 2332 Cmfkfa32.exe 556 Caaggpdh.exe 2952 Cgkocj32.exe 1956 Cfnoogbo.exe 1436 Cacclpae.exe 2452 Ccbphk32.exe 3036 Cfpldf32.exe 1712 Ciohqa32.exe 2204 Cmjdaqgi.exe 1440 Clmdmm32.exe 1636 Cbgmigeq.exe 2108 Cfcijf32.exe 2092 Clpabm32.exe 936 Cbiiog32.exe 1424 Cehfkb32.exe 1452 Cicalakk.exe 2736 Chfbgn32.exe 2436 Cpmjhk32.exe 2640 Copjdhib.exe 2660 Cblfdg32.exe 2568 Dejbqb32.exe 1460 Difnaqih.exe 2224 Dhiomn32.exe 1236 Djgkii32.exe 452 Dobgihgp.exe 1292 Dbncjf32.exe 2056 Daacecfc.exe 2592 Ddpobo32.exe 2468 Dhkkbmnp.exe 840 Dlfgcl32.exe 2620 Dkigoimd.exe 1480 Dmhdkdlg.exe 2804 Dacpkc32.exe -
Loads dropped DLL 64 IoCs
pid Process 900 b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe 900 b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe 2348 Aqjdgmgd.exe 2348 Aqjdgmgd.exe 1868 Aciqcifh.exe 1868 Aciqcifh.exe 2816 Amaelomh.exe 2816 Amaelomh.exe 2744 Aggiigmn.exe 2744 Aggiigmn.exe 2856 Amcbankf.exe 2856 Amcbankf.exe 2828 Acnjnh32.exe 2828 Acnjnh32.exe 2112 Aflfjc32.exe 2112 Aflfjc32.exe 1132 Aijbfo32.exe 1132 Aijbfo32.exe 2328 Akiobk32.exe 2328 Akiobk32.exe 2680 Bcpgdhpp.exe 2680 Bcpgdhpp.exe 2960 Bbbgod32.exe 2960 Bbbgod32.exe 1080 Beackp32.exe 1080 Beackp32.exe 2104 Bimoloog.exe 2104 Bimoloog.exe 2140 Bkklhjnk.exe 2140 Bkklhjnk.exe 1912 Bnihdemo.exe 1912 Bnihdemo.exe 748 Bfqpecma.exe 748 Bfqpecma.exe 316 Becpap32.exe 316 Becpap32.exe 1400 Biolanld.exe 1400 Biolanld.exe 828 Bkmhnjlh.exe 828 Bkmhnjlh.exe 1960 Boidnh32.exe 1960 Boidnh32.exe 656 Bbgqjdce.exe 656 Bbgqjdce.exe 2580 Bajqfq32.exe 2580 Bajqfq32.exe 1928 Befmfpbi.exe 1928 Befmfpbi.exe 1876 Bkpeci32.exe 1876 Bkpeci32.exe 1944 Bjbeofpp.exe 1944 Bjbeofpp.exe 2796 Bbjmpcab.exe 2796 Bbjmpcab.exe 2720 Bgffhkoj.exe 2720 Bgffhkoj.exe 2740 Bjebdfnn.exe 2740 Bjebdfnn.exe 2824 Bnqned32.exe 2824 Bnqned32.exe 2604 Baojapfj.exe 2604 Baojapfj.exe 2184 Cjgoje32.exe 2184 Cjgoje32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jlkngc32.exe Jfofol32.exe File created C:\Windows\SysWOW64\Jlnklcej.exe Jioopgef.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File created C:\Windows\SysWOW64\Ofehob32.dll Ehmdgp32.exe File created C:\Windows\SysWOW64\Ioohokoo.exe Ifgpnmom.exe File opened for modification C:\Windows\SysWOW64\Ihpfgalh.exe Iafnjg32.exe File opened for modification C:\Windows\SysWOW64\Jfliim32.exe Jpbalb32.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Offmipej.exe File created C:\Windows\SysWOW64\Bnqned32.exe Bjebdfnn.exe File opened for modification C:\Windows\SysWOW64\Fdmhbplb.exe Fqalaa32.exe File opened for modification C:\Windows\SysWOW64\Omklkkpl.exe Oippjl32.exe File created C:\Windows\SysWOW64\Hpqnnmcd.dll Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cchbgi32.exe File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe Djdgic32.exe File created C:\Windows\SysWOW64\Fjegog32.exe Fggkcl32.exe File created C:\Windows\SysWOW64\Fgldnkkf.exe Fdmhbplb.exe File created C:\Windows\SysWOW64\Oqlecd32.dll Pkjphcff.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Clojhf32.exe File created C:\Windows\SysWOW64\Pefqie32.dll Dicnkdnf.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Offmipej.exe File created C:\Windows\SysWOW64\Diibmpdj.dll Jlkngc32.exe File created C:\Windows\SysWOW64\Hfiocpon.dll Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe Oplelf32.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File created C:\Windows\SysWOW64\Jeecim32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Iafnjg32.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Cacclpae.exe Cfnoogbo.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Eaheeecg.exe File created C:\Windows\SysWOW64\Fqliblhd.dll Olpilg32.exe File opened for modification C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File created C:\Windows\SysWOW64\Kikpibof.dll Befmfpbi.exe File created C:\Windows\SysWOW64\Hjhmbnfb.dll Cjgoje32.exe File created C:\Windows\SysWOW64\Lhknaf32.exe Lbafdlod.exe File created C:\Windows\SysWOW64\Dnbamjbm.dll Bqgmfkhg.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Ciihklpj.exe File created C:\Windows\SysWOW64\Bnihdemo.exe Bkklhjnk.exe File created C:\Windows\SysWOW64\Hjcppidk.exe Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Nhjjgd32.exe Neknki32.exe File created C:\Windows\SysWOW64\Nhlgmd32.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Obahbj32.dll Bqeqqk32.exe File opened for modification C:\Windows\SysWOW64\Coacbfii.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cocphf32.exe File created C:\Windows\SysWOW64\Aekeef32.dll Gneijien.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jlkngc32.exe File opened for modification C:\Windows\SysWOW64\Gmpcgace.exe Gdhkfd32.exe File opened for modification C:\Windows\SysWOW64\Odchbe32.exe Opglafab.exe File created C:\Windows\SysWOW64\Adpqglen.dll Ahpifj32.exe File created C:\Windows\SysWOW64\Jclnhnji.dll Bjbeofpp.exe File created C:\Windows\SysWOW64\Difnaqih.exe Dejbqb32.exe File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Qcogbdkg.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bnknoogp.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bgcbhd32.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dmbcen32.exe File created C:\Windows\SysWOW64\Miidam32.dll Cacclpae.exe File created C:\Windows\SysWOW64\Dejbqb32.exe Cblfdg32.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Piicpk32.exe Oemgplgo.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Phnpagdp.exe File opened for modification C:\Windows\SysWOW64\Cgkocj32.exe Caaggpdh.exe File opened for modification C:\Windows\SysWOW64\Jfofol32.exe Jdpjba32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4844 4636 WerFault.exe 435 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmlmbcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjebdfnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difnaqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbmeifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbiiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnklcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmdgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmbqegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdiga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklkcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcnkhmdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjfpgi.dll" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhfppnm.dll" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqalaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggpmn32.dll" Ifgpnmom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkgngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldbofgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" Qcogbdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjeanhe.dll" Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikgge32.dll" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkkdd32.dll" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhniklfm.dll" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknedeoi.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojijh32.dll" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nebhgckp.dll" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhebgh32.dll" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeganon.dll" Padhdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflhon32.dll" Opihgfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlgimqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdkklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdkgkcpq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 900 wrote to memory of 2348 900 b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe 30 PID 900 wrote to memory of 2348 900 b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe 30 PID 900 wrote to memory of 2348 900 b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe 30 PID 900 wrote to memory of 2348 900 b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe 30 PID 2348 wrote to memory of 1868 2348 Aqjdgmgd.exe 31 PID 2348 wrote to memory of 1868 2348 Aqjdgmgd.exe 31 PID 2348 wrote to memory of 1868 2348 Aqjdgmgd.exe 31 PID 2348 wrote to memory of 1868 2348 Aqjdgmgd.exe 31 PID 1868 wrote to memory of 2816 1868 Aciqcifh.exe 32 PID 1868 wrote to memory of 2816 1868 Aciqcifh.exe 32 PID 1868 wrote to memory of 2816 1868 Aciqcifh.exe 32 PID 1868 wrote to memory of 2816 1868 Aciqcifh.exe 32 PID 2816 wrote to memory of 2744 2816 Amaelomh.exe 33 PID 2816 wrote to memory of 2744 2816 Amaelomh.exe 33 PID 2816 wrote to memory of 2744 2816 Amaelomh.exe 33 PID 2816 wrote to memory of 2744 2816 Amaelomh.exe 33 PID 2744 wrote to memory of 2856 2744 Aggiigmn.exe 34 PID 2744 wrote to memory of 2856 2744 Aggiigmn.exe 34 PID 2744 wrote to memory of 2856 2744 Aggiigmn.exe 34 PID 2744 wrote to memory of 2856 2744 Aggiigmn.exe 34 PID 2856 wrote to memory of 2828 2856 Amcbankf.exe 35 PID 2856 wrote to memory of 2828 2856 Amcbankf.exe 35 PID 2856 wrote to memory of 2828 2856 Amcbankf.exe 35 PID 2856 wrote to memory of 2828 2856 Amcbankf.exe 35 PID 2828 wrote to memory of 2112 2828 Acnjnh32.exe 36 PID 2828 wrote to memory of 2112 2828 Acnjnh32.exe 36 PID 2828 wrote to memory of 2112 2828 Acnjnh32.exe 36 PID 2828 wrote to memory of 2112 2828 Acnjnh32.exe 36 PID 2112 wrote to memory of 1132 2112 Aflfjc32.exe 37 PID 2112 wrote to memory of 1132 2112 Aflfjc32.exe 37 PID 2112 wrote to memory of 1132 2112 Aflfjc32.exe 37 PID 2112 wrote to memory of 1132 2112 Aflfjc32.exe 37 PID 1132 wrote to memory of 2328 1132 Aijbfo32.exe 38 PID 1132 wrote to memory of 2328 1132 Aijbfo32.exe 38 PID 1132 wrote to memory of 2328 1132 Aijbfo32.exe 38 PID 1132 wrote to memory of 2328 1132 Aijbfo32.exe 38 PID 2328 wrote to memory of 2680 2328 Akiobk32.exe 39 PID 2328 wrote to memory of 2680 2328 Akiobk32.exe 39 PID 2328 wrote to memory of 2680 2328 Akiobk32.exe 39 PID 2328 wrote to memory of 2680 2328 Akiobk32.exe 39 PID 2680 wrote to memory of 2960 2680 Bcpgdhpp.exe 40 PID 2680 wrote to memory of 2960 2680 Bcpgdhpp.exe 40 PID 2680 wrote to memory of 2960 2680 Bcpgdhpp.exe 40 PID 2680 wrote to memory of 2960 2680 Bcpgdhpp.exe 40 PID 2960 wrote to memory of 1080 2960 Bbbgod32.exe 41 PID 2960 wrote to memory of 1080 2960 Bbbgod32.exe 41 PID 2960 wrote to memory of 1080 2960 Bbbgod32.exe 41 PID 2960 wrote to memory of 1080 2960 Bbbgod32.exe 41 PID 1080 wrote to memory of 2104 1080 Beackp32.exe 42 PID 1080 wrote to memory of 2104 1080 Beackp32.exe 42 PID 1080 wrote to memory of 2104 1080 Beackp32.exe 42 PID 1080 wrote to memory of 2104 1080 Beackp32.exe 42 PID 2104 wrote to memory of 2140 2104 Bimoloog.exe 43 PID 2104 wrote to memory of 2140 2104 Bimoloog.exe 43 PID 2104 wrote to memory of 2140 2104 Bimoloog.exe 43 PID 2104 wrote to memory of 2140 2104 Bimoloog.exe 43 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 2140 wrote to memory of 1912 2140 Bkklhjnk.exe 44 PID 1912 wrote to memory of 748 1912 Bnihdemo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe"C:\Users\Admin\AppData\Local\Temp\b0fb8fdc2b1cde6b7fb9f9930df4bec0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe35⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe39⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe40⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe42⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe43⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe47⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe48⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe50⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe51⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe56⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe57⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe58⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe60⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe61⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe62⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe66⤵PID:2516
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe67⤵PID:1536
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe68⤵PID:2668
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe70⤵PID:2068
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe71⤵PID:2240
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe72⤵PID:1980
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe74⤵PID:680
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe75⤵PID:2708
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe77⤵PID:2552
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe78⤵PID:1888
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe79⤵PID:3048
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe80⤵PID:768
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe81⤵PID:2876
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe82⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe87⤵PID:2972
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe89⤵PID:1192
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe90⤵PID:3020
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe91⤵PID:1784
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe92⤵PID:2296
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe95⤵PID:2340
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe97⤵PID:1008
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe98⤵PID:2652
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe100⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe101⤵PID:2484
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe102⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe103⤵PID:1464
-
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe104⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe105⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe107⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe108⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe109⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe110⤵PID:2212
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe113⤵PID:2528
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe114⤵PID:2324
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe117⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe118⤵PID:1232
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe119⤵PID:576
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe120⤵PID:1280
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe121⤵PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-