Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 03:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
849f7c9d81aa4f504dfb3ea95125df80N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
849f7c9d81aa4f504dfb3ea95125df80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
849f7c9d81aa4f504dfb3ea95125df80N.exe
-
Size
96KB
-
MD5
849f7c9d81aa4f504dfb3ea95125df80
-
SHA1
256913245b06900c72e97278c5e39e5ec53ed97e
-
SHA256
a6e2989527e7ad01c357e65521290956fa5d0e3679cfe9357991b6fe6b1172a9
-
SHA512
0b827518d643935536684bbab5e159416c76a4f3558859393da92750388553b93d53b50afa89f78f6757bea9dbd4f8e938c99b80fc1665e86ce8406f4a2eecc0
-
SSDEEP
1536:tdiSWlT33P7L3nXKZHre3JOiWGX+e6O6Gr0z7aMIzBwe9MbinV39+ChnSdFFn7EZ:y933P7L3n6ZH+CGueZI7aM6wAMbqV39t
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnpcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qanolm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqffonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmnadlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbmmbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldcagaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdciiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcddlnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladpagin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladpagin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlfhjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjjkhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijgbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecoihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhklha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpngmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnimpcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmkbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdeoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmelpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcilnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifgekbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkbnibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbhnkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hginnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laackgka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfpni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaebfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpqjfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhdlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmcikd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcgmkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejiadgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inebpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgdcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmmcjjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmpnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmpnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaebfdba.exe -
Executes dropped EXE 64 IoCs
pid Process 1340 Odcimipf.exe 2688 Ofdeeb32.exe 2680 Onkmfofg.exe 2656 Ogdaod32.exe 1676 Ohengmcf.exe 2608 Oqlfhjch.exe 3056 Obnbpb32.exe 1668 Ojdjqp32.exe 2244 Pmcgmkil.exe 1988 Pcmoie32.exe 2356 Pfkkeq32.exe 2632 Pijgbl32.exe 2276 Pkhdnh32.exe 1652 Pnfpjc32.exe 2116 Peqhgmdd.exe 2132 Pildgl32.exe 2152 Pkjqcg32.exe 1424 Pnimpcke.exe 888 Pqgilnji.exe 696 Pioamlkk.exe 1660 Pgaahh32.exe 1212 Pkmmigjo.exe 2284 Pbgefa32.exe 928 Pajeanhf.exe 3008 Pchbmigj.exe 1692 Pkojoghl.exe 2812 Pmqffonj.exe 2716 Qcjoci32.exe 2900 Qgfkchmp.exe 2804 Qnpcpa32.exe 452 Qanolm32.exe 2412 Qcmkhi32.exe 332 Qmepanje.exe 2484 Qaqlbmbn.exe 2268 Acohnhab.exe 1984 Ajipkb32.exe 844 Amglgn32.exe 2776 Aljmbknm.exe 2108 Abdeoe32.exe 2124 Ainmlomf.exe 2640 Almihjlj.exe 1772 Afbnec32.exe 2016 Aiqjao32.exe 2344 Ahcjmkbo.exe 1688 Apkbnibq.exe 1728 Aalofa32.exe 1840 Alaccj32.exe 1504 Abkkpd32.exe 1316 Aejglo32.exe 2672 Ahhchk32.exe 3044 Bjfpdf32.exe 1868 Bmelpa32.exe 2204 Beldao32.exe 2360 Bdodmlcm.exe 2348 Bfmqigba.exe 1320 Bodhjdcc.exe 2308 Bacefpbg.exe 2352 Bpfebmia.exe 1608 Bhmmcjjd.exe 2040 Bkkioeig.exe 916 Bmjekahk.exe 2528 Baealp32.exe 2092 Bbfnchfb.exe 2312 Bknfeege.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 849f7c9d81aa4f504dfb3ea95125df80N.exe 2120 849f7c9d81aa4f504dfb3ea95125df80N.exe 1340 Odcimipf.exe 1340 Odcimipf.exe 2688 Ofdeeb32.exe 2688 Ofdeeb32.exe 2680 Onkmfofg.exe 2680 Onkmfofg.exe 2656 Ogdaod32.exe 2656 Ogdaod32.exe 1676 Ohengmcf.exe 1676 Ohengmcf.exe 2608 Oqlfhjch.exe 2608 Oqlfhjch.exe 3056 Obnbpb32.exe 3056 Obnbpb32.exe 1668 Ojdjqp32.exe 1668 Ojdjqp32.exe 2244 Pmcgmkil.exe 2244 Pmcgmkil.exe 1988 Pcmoie32.exe 1988 Pcmoie32.exe 2356 Pfkkeq32.exe 2356 Pfkkeq32.exe 2632 Pijgbl32.exe 2632 Pijgbl32.exe 2276 Pkhdnh32.exe 2276 Pkhdnh32.exe 1652 Pnfpjc32.exe 1652 Pnfpjc32.exe 2116 Peqhgmdd.exe 2116 Peqhgmdd.exe 2132 Pildgl32.exe 2132 Pildgl32.exe 2152 Pkjqcg32.exe 2152 Pkjqcg32.exe 1424 Pnimpcke.exe 1424 Pnimpcke.exe 888 Pqgilnji.exe 888 Pqgilnji.exe 696 Pioamlkk.exe 696 Pioamlkk.exe 1660 Pgaahh32.exe 1660 Pgaahh32.exe 1212 Pkmmigjo.exe 1212 Pkmmigjo.exe 2284 Pbgefa32.exe 2284 Pbgefa32.exe 928 Pajeanhf.exe 928 Pajeanhf.exe 3008 Pchbmigj.exe 3008 Pchbmigj.exe 1692 Pkojoghl.exe 1692 Pkojoghl.exe 2812 Pmqffonj.exe 2812 Pmqffonj.exe 2716 Qcjoci32.exe 2716 Qcjoci32.exe 2900 Qgfkchmp.exe 2900 Qgfkchmp.exe 2804 Qnpcpa32.exe 2804 Qnpcpa32.exe 452 Qanolm32.exe 452 Qanolm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gmcikd32.exe Gbnenk32.exe File created C:\Windows\SysWOW64\Nahfkigd.exe Nmmjjk32.exe File opened for modification C:\Windows\SysWOW64\Ofdeeb32.exe Odcimipf.exe File created C:\Windows\SysWOW64\Godhpb32.dll Dcdfdi32.exe File opened for modification C:\Windows\SysWOW64\Ddhcbnnn.exe Dajgfboj.exe File created C:\Windows\SysWOW64\Ljecbkfm.dll Icdhnn32.exe File created C:\Windows\SysWOW64\Lhklha32.exe Laackgka.exe File created C:\Windows\SysWOW64\Nldcagaq.exe Nifgekbm.exe File created C:\Windows\SysWOW64\Eejanc32.dll Qanolm32.exe File opened for modification C:\Windows\SysWOW64\Bodhjdcc.exe Bfmqigba.exe File opened for modification C:\Windows\SysWOW64\Cdcjgnbc.exe Caenkc32.exe File created C:\Windows\SysWOW64\Laackgka.exe Ljgkom32.exe File created C:\Windows\SysWOW64\Eljgid32.dll Ijampgde.exe File created C:\Windows\SysWOW64\Ljfnnkkc.dll Kfgjdlme.exe File opened for modification C:\Windows\SysWOW64\Bfmqigba.exe Bdodmlcm.exe File created C:\Windows\SysWOW64\Iekcqo32.dll Laackgka.exe File created C:\Windows\SysWOW64\Ofmlooqi.dll Pkjqcg32.exe File created C:\Windows\SysWOW64\Ciodpf32.dll Icgdcm32.exe File created C:\Windows\SysWOW64\Lggbmbfc.exe Lbjjekhl.exe File opened for modification C:\Windows\SysWOW64\Dlhaaogd.exe Dfniee32.exe File opened for modification C:\Windows\SysWOW64\Lhklha32.exe Laackgka.exe File created C:\Windows\SysWOW64\Qamnbhdj.dll Bkkioeig.exe File created C:\Windows\SysWOW64\Idcnlffk.dll Bbfnchfb.exe File created C:\Windows\SysWOW64\Pmnonj32.dll Cdfgmnpa.exe File created C:\Windows\SysWOW64\Edhpaa32.exe Ebicee32.exe File created C:\Windows\SysWOW64\Peapkpkj.dll Cbkgog32.exe File created C:\Windows\SysWOW64\Mokegi32.dll Capdpcge.exe File created C:\Windows\SysWOW64\Dfniee32.exe Dcpmijqc.exe File opened for modification C:\Windows\SysWOW64\Fnbmoi32.exe Fmaqgaae.exe File created C:\Windows\SysWOW64\Jhhfgcgj.exe Jfjjkhhg.exe File opened for modification C:\Windows\SysWOW64\Jddqgdii.exe Jkllnn32.exe File opened for modification C:\Windows\SysWOW64\Bdfjnkne.exe Blobmm32.exe File created C:\Windows\SysWOW64\Clhecl32.exe Cdamao32.exe File opened for modification C:\Windows\SysWOW64\Cdfgmnpa.exe Cagjqbam.exe File created C:\Windows\SysWOW64\Npnclf32.exe Nmogpj32.exe File created C:\Windows\SysWOW64\Fcfohlmg.exe Fmlglb32.exe File opened for modification C:\Windows\SysWOW64\Mhfoleio.exe Mehbpjjk.exe File created C:\Windows\SysWOW64\Ndjhjkfi.dll Ahhchk32.exe File created C:\Windows\SysWOW64\Hahljg32.exe Hbekojlp.exe File created C:\Windows\SysWOW64\Limhpihl.exe Ljjhdm32.exe File opened for modification C:\Windows\SysWOW64\Mifkfhpa.exe Mejoei32.exe File created C:\Windows\SysWOW64\Pakpllpl.dll Ndgbgefh.exe File created C:\Windows\SysWOW64\Ogdaod32.exe Onkmfofg.exe File opened for modification C:\Windows\SysWOW64\Dkmncl32.exe Dhobgp32.exe File opened for modification C:\Windows\SysWOW64\Emjjfb32.exe Efpbih32.exe File created C:\Windows\SysWOW64\Jlmhimhb.dll Bpmkbl32.exe File created C:\Windows\SysWOW64\Qcehpcal.dll Kqmnadlk.exe File created C:\Windows\SysWOW64\Jeekfpjf.dll Gbbbjg32.exe File created C:\Windows\SysWOW64\Hmqieh32.exe Honiikpa.exe File opened for modification C:\Windows\SysWOW64\Caenkc32.exe Cniajdkg.exe File created C:\Windows\SysWOW64\Jkbhmg32.dll Gfgdij32.exe File created C:\Windows\SysWOW64\Mddibb32.exe Mlmaad32.exe File created C:\Windows\SysWOW64\Mbjfcnkg.exe Mpkjgckc.exe File created C:\Windows\SysWOW64\Jafjpdlm.dll Alaccj32.exe File created C:\Windows\SysWOW64\Bdodmlcm.exe Beldao32.exe File created C:\Windows\SysWOW64\Ojdjqp32.exe Obnbpb32.exe File created C:\Windows\SysWOW64\Nmhqokcq.exe Noepdo32.exe File created C:\Windows\SysWOW64\Blagna32.dll Oemhjlha.exe File created C:\Windows\SysWOW64\Ihijhpdo.exe Iaobkf32.exe File opened for modification C:\Windows\SysWOW64\Mbjfcnkg.exe Mpkjgckc.exe File created C:\Windows\SysWOW64\Gjbcnmen.dll Pbgefa32.exe File created C:\Windows\SysWOW64\Khpbbn32.dll Ckkenikc.exe File created C:\Windows\SysWOW64\Oijehm32.dll Gmcikd32.exe File opened for modification C:\Windows\SysWOW64\Pchbmigj.exe Pajeanhf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4056 3984 WerFault.exe 292 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdodmlcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncdqcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enngdgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neohqicc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjboeenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhadgakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keappgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfoleio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkojoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebicee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnenk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcgeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfcjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facfpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkilgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgilnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaqgaae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklaipbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioamlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmqieh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcimhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maapjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nickoldp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npnclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egihcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knoaeimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqhkcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijampgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihijhpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdofebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcgmkil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amglgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohengmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejiadgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmpnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgdij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggkipci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkgog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladpagin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdihmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihijhpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdglfeli.dll" Inhoegqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcehpcal.dll" Kqmnadlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnqkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadbgifg.dll" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjqnpjb.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofnnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhfmqge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakpllpl.dll" Ndgbgefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodciccp.dll" Dnqhkcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbcgeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baohnn32.dll" Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkmfofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmmbaal.dll" Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodpeepd.dll" Kmoekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll" Nggkipci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfcop32.dll" Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonkpi32.dll" Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhhfgcgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mioeeifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcilnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegibbeb.dll" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll" Cbkgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll" Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdekl32.dll" Gecklbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doijgpba.dll" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejanc32.dll" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilgcb32.dll" Edeclabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdldhfli.dll" Hbekojlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdbjl32.dll" Jlaeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljgkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mddibb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndgbgefh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijgbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biqfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehem32.dll" Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhflco32.dll" Ljgkom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcbkpnn.dll" Fjqhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hginnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfanqcch.dll" Ebicee32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1340 2120 849f7c9d81aa4f504dfb3ea95125df80N.exe 30 PID 2120 wrote to memory of 1340 2120 849f7c9d81aa4f504dfb3ea95125df80N.exe 30 PID 2120 wrote to memory of 1340 2120 849f7c9d81aa4f504dfb3ea95125df80N.exe 30 PID 2120 wrote to memory of 1340 2120 849f7c9d81aa4f504dfb3ea95125df80N.exe 30 PID 1340 wrote to memory of 2688 1340 Odcimipf.exe 31 PID 1340 wrote to memory of 2688 1340 Odcimipf.exe 31 PID 1340 wrote to memory of 2688 1340 Odcimipf.exe 31 PID 1340 wrote to memory of 2688 1340 Odcimipf.exe 31 PID 2688 wrote to memory of 2680 2688 Ofdeeb32.exe 32 PID 2688 wrote to memory of 2680 2688 Ofdeeb32.exe 32 PID 2688 wrote to memory of 2680 2688 Ofdeeb32.exe 32 PID 2688 wrote to memory of 2680 2688 Ofdeeb32.exe 32 PID 2680 wrote to memory of 2656 2680 Onkmfofg.exe 33 PID 2680 wrote to memory of 2656 2680 Onkmfofg.exe 33 PID 2680 wrote to memory of 2656 2680 Onkmfofg.exe 33 PID 2680 wrote to memory of 2656 2680 Onkmfofg.exe 33 PID 2656 wrote to memory of 1676 2656 Ogdaod32.exe 34 PID 2656 wrote to memory of 1676 2656 Ogdaod32.exe 34 PID 2656 wrote to memory of 1676 2656 Ogdaod32.exe 34 PID 2656 wrote to memory of 1676 2656 Ogdaod32.exe 34 PID 1676 wrote to memory of 2608 1676 Ohengmcf.exe 35 PID 1676 wrote to memory of 2608 1676 Ohengmcf.exe 35 PID 1676 wrote to memory of 2608 1676 Ohengmcf.exe 35 PID 1676 wrote to memory of 2608 1676 Ohengmcf.exe 35 PID 2608 wrote to memory of 3056 2608 Oqlfhjch.exe 36 PID 2608 wrote to memory of 3056 2608 Oqlfhjch.exe 36 PID 2608 wrote to memory of 3056 2608 Oqlfhjch.exe 36 PID 2608 wrote to memory of 3056 2608 Oqlfhjch.exe 36 PID 3056 wrote to memory of 1668 3056 Obnbpb32.exe 37 PID 3056 wrote to memory of 1668 3056 Obnbpb32.exe 37 PID 3056 wrote to memory of 1668 3056 Obnbpb32.exe 37 PID 3056 wrote to memory of 1668 3056 Obnbpb32.exe 37 PID 1668 wrote to memory of 2244 1668 Ojdjqp32.exe 38 PID 1668 wrote to memory of 2244 1668 Ojdjqp32.exe 38 PID 1668 wrote to memory of 2244 1668 Ojdjqp32.exe 38 PID 1668 wrote to memory of 2244 1668 Ojdjqp32.exe 38 PID 2244 wrote to memory of 1988 2244 Pmcgmkil.exe 39 PID 2244 wrote to memory of 1988 2244 Pmcgmkil.exe 39 PID 2244 wrote to memory of 1988 2244 Pmcgmkil.exe 39 PID 2244 wrote to memory of 1988 2244 Pmcgmkil.exe 39 PID 1988 wrote to memory of 2356 1988 Pcmoie32.exe 40 PID 1988 wrote to memory of 2356 1988 Pcmoie32.exe 40 PID 1988 wrote to memory of 2356 1988 Pcmoie32.exe 40 PID 1988 wrote to memory of 2356 1988 Pcmoie32.exe 40 PID 2356 wrote to memory of 2632 2356 Pfkkeq32.exe 41 PID 2356 wrote to memory of 2632 2356 Pfkkeq32.exe 41 PID 2356 wrote to memory of 2632 2356 Pfkkeq32.exe 41 PID 2356 wrote to memory of 2632 2356 Pfkkeq32.exe 41 PID 2632 wrote to memory of 2276 2632 Pijgbl32.exe 42 PID 2632 wrote to memory of 2276 2632 Pijgbl32.exe 42 PID 2632 wrote to memory of 2276 2632 Pijgbl32.exe 42 PID 2632 wrote to memory of 2276 2632 Pijgbl32.exe 42 PID 2276 wrote to memory of 1652 2276 Pkhdnh32.exe 43 PID 2276 wrote to memory of 1652 2276 Pkhdnh32.exe 43 PID 2276 wrote to memory of 1652 2276 Pkhdnh32.exe 43 PID 2276 wrote to memory of 1652 2276 Pkhdnh32.exe 43 PID 1652 wrote to memory of 2116 1652 Pnfpjc32.exe 44 PID 1652 wrote to memory of 2116 1652 Pnfpjc32.exe 44 PID 1652 wrote to memory of 2116 1652 Pnfpjc32.exe 44 PID 1652 wrote to memory of 2116 1652 Pnfpjc32.exe 44 PID 2116 wrote to memory of 2132 2116 Peqhgmdd.exe 45 PID 2116 wrote to memory of 2132 2116 Peqhgmdd.exe 45 PID 2116 wrote to memory of 2132 2116 Peqhgmdd.exe 45 PID 2116 wrote to memory of 2132 2116 Peqhgmdd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\849f7c9d81aa4f504dfb3ea95125df80N.exe"C:\Users\Admin\AppData\Local\Temp\849f7c9d81aa4f504dfb3ea95125df80N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Pfkkeq32.exeC:\Windows\system32\Pfkkeq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Pijgbl32.exeC:\Windows\system32\Pijgbl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe36⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe37⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe39⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Abdeoe32.exeC:\Windows\system32\Abdeoe32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe42⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe43⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe44⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe45⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe47⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe49⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe52⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Bdodmlcm.exeC:\Windows\system32\Bdodmlcm.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe57⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe59⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe62⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe63⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe66⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe67⤵
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Bgdfjfmi.exeC:\Windows\system32\Bgdfjfmi.exe69⤵PID:2096
-
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe70⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe71⤵PID:920
-
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe74⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe75⤵PID:2948
-
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe76⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe77⤵PID:2388
-
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe78⤵PID:868
-
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe79⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe80⤵PID:2472
-
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe81⤵PID:2748
-
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe82⤵PID:2856
-
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:412 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe84⤵PID:1588
-
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe86⤵PID:2956
-
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe90⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe91⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe92⤵PID:2468
-
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe93⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe94⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe96⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe97⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe98⤵PID:2700
-
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe101⤵PID:2732
-
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe102⤵PID:1664
-
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe103⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe104⤵PID:2332
-
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe105⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe106⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe107⤵PID:2556
-
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe108⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe109⤵PID:1612
-
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:360 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe113⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe114⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe118⤵PID:2612
-
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe119⤵PID:1204
-
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe121⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-