Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 00:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6651ad78c166c577845b7d3efcc21c60N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6651ad78c166c577845b7d3efcc21c60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6651ad78c166c577845b7d3efcc21c60N.exe
-
Size
96KB
-
MD5
6651ad78c166c577845b7d3efcc21c60
-
SHA1
80dda70f315a2add466b35d8502c13af5af894ae
-
SHA256
5c19d19dcb02bcc0af5590de6ef2339786d65ed4ef3ac2a665357328def79544
-
SHA512
6f2d9a1a7038d7808214c2b072f1e89b07978a0926202673ea15fd77ffd34ba66e3b78e4ef255129351b8166e280dd7eff9ece5d57ba8914ad213beed2e28bf4
-
SSDEEP
1536:KpWMeKA1I9lPJzExRNvqYFlohTUb4qDOchfdd+ZL92LdSaIZTJ+7LhkiB0MPiKeg:UeybARNvqYrohTUb4BCAaMU7uihJ5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcaghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfobjdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blejgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehopnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcfenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmegkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpeimhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkancm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgooikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blejgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeilbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcehngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqfnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfobjdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlcfnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehopnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foidii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppejmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqlhlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geplpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmiea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achlch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omddmkhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdhigo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmeogam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilfka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjchjcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgcbmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmegkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgooikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfadc32.exe -
Executes dropped EXE 64 IoCs
pid Process 1644 Opqdcgib.exe 2040 Oclpdf32.exe 1568 Omddmkhl.exe 2836 Onfadc32.exe 2732 Ofmiea32.exe 2648 Oafjfokk.exe 2640 Oebffm32.exe 2096 Onkjocjd.exe 2968 Obffpa32.exe 3008 Olokighn.exe 2984 Oakcan32.exe 924 Phelnhnb.exe 696 Pjchjcmf.exe 1212 Phhhchlp.exe 2088 Pfjiod32.exe 1048 Pjhaec32.exe 2276 Ppejmj32.exe 2204 Pdqfnhpa.exe 1524 Pfobjdoe.exe 1744 Plljbkml.exe 2688 Ppgfciee.exe 1536 Pfaopc32.exe 1176 Pedokpcm.exe 872 Qbhpddbf.exe 2516 Qeglqpaj.exe 2912 Qibhao32.exe 2812 Qkcdigpa.exe 2208 Alcqcjgd.exe 832 Aoamoefh.exe 2672 Aekelo32.exe 1924 Ahjahk32.exe 1984 Anfjpa32.exe 2796 Aabfqp32.exe 2848 Adqbml32.exe 2396 Ahlnmjkf.exe 1316 Aimkeb32.exe 1692 Apgcbmha.exe 2060 Adcobk32.exe 2400 Agakog32.exe 2156 Akmgoehg.exe 792 Ankckagj.exe 1528 Apjpglfn.exe 1312 Adekhkng.exe 1540 Achlch32.exe 916 Aefhpc32.exe 2692 Annpaq32.exe 1544 Alqplmlb.exe 1664 Apllml32.exe 1368 Bcjhig32.exe 2268 Bfieec32.exe 2064 Bjdqfajl.exe 1808 Bhgaan32.exe 2624 Bpnibl32.exe 2660 Bcmeogam.exe 2956 Bfkakbpp.exe 2964 Bjgmka32.exe 2952 Blejgm32.exe 3052 Bcobdgoj.exe 1660 Babbpc32.exe 1308 Bdpnlo32.exe 568 Bhljlnma.exe 2120 Bkjfhile.exe 2512 Bofbih32.exe 2452 Bnicddki.exe -
Loads dropped DLL 64 IoCs
pid Process 2508 6651ad78c166c577845b7d3efcc21c60N.exe 2508 6651ad78c166c577845b7d3efcc21c60N.exe 1644 Opqdcgib.exe 1644 Opqdcgib.exe 2040 Oclpdf32.exe 2040 Oclpdf32.exe 1568 Omddmkhl.exe 1568 Omddmkhl.exe 2836 Onfadc32.exe 2836 Onfadc32.exe 2732 Ofmiea32.exe 2732 Ofmiea32.exe 2648 Oafjfokk.exe 2648 Oafjfokk.exe 2640 Oebffm32.exe 2640 Oebffm32.exe 2096 Onkjocjd.exe 2096 Onkjocjd.exe 2968 Obffpa32.exe 2968 Obffpa32.exe 3008 Olokighn.exe 3008 Olokighn.exe 2984 Oakcan32.exe 2984 Oakcan32.exe 924 Phelnhnb.exe 924 Phelnhnb.exe 696 Pjchjcmf.exe 696 Pjchjcmf.exe 1212 Phhhchlp.exe 1212 Phhhchlp.exe 2088 Pfjiod32.exe 2088 Pfjiod32.exe 1048 Pjhaec32.exe 1048 Pjhaec32.exe 2276 Ppejmj32.exe 2276 Ppejmj32.exe 2204 Pdqfnhpa.exe 2204 Pdqfnhpa.exe 1524 Pfobjdoe.exe 1524 Pfobjdoe.exe 1744 Plljbkml.exe 1744 Plljbkml.exe 2688 Ppgfciee.exe 2688 Ppgfciee.exe 1536 Pfaopc32.exe 1536 Pfaopc32.exe 1176 Pedokpcm.exe 1176 Pedokpcm.exe 872 Qbhpddbf.exe 872 Qbhpddbf.exe 2516 Qeglqpaj.exe 2516 Qeglqpaj.exe 2912 Qibhao32.exe 2912 Qibhao32.exe 2812 Qkcdigpa.exe 2812 Qkcdigpa.exe 2208 Alcqcjgd.exe 2208 Alcqcjgd.exe 832 Aoamoefh.exe 832 Aoamoefh.exe 2672 Aekelo32.exe 2672 Aekelo32.exe 1924 Ahjahk32.exe 1924 Ahjahk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bhljlnma.exe Bdpnlo32.exe File opened for modification C:\Windows\SysWOW64\Djffihmp.exe Dlcfnk32.exe File created C:\Windows\SysWOW64\Gaiijgbi.exe Gokmnlcf.exe File opened for modification C:\Windows\SysWOW64\Hfiofefm.exe Hnbgdh32.exe File created C:\Windows\SysWOW64\Jnllio32.dll Degqka32.exe File created C:\Windows\SysWOW64\Caqoan32.dll Gdophn32.exe File opened for modification C:\Windows\SysWOW64\Ginefe32.exe Gebiefle.exe File created C:\Windows\SysWOW64\Jgqmmiph.dll Hqhiab32.exe File created C:\Windows\SysWOW64\Dlcfnk32.exe Dieiap32.exe File created C:\Windows\SysWOW64\Egebiche.dll Pfjiod32.exe File created C:\Windows\SysWOW64\Bnaacb32.dll Pfaopc32.exe File opened for modification C:\Windows\SysWOW64\Bofbih32.exe Bkjfhile.exe File opened for modification C:\Windows\SysWOW64\Bohoogbk.exe Bgagnjbi.exe File created C:\Windows\SysWOW64\Aebpnp32.dll Cqqbgoba.exe File opened for modification C:\Windows\SysWOW64\Ifgooikk.exe Igdndl32.exe File created C:\Windows\SysWOW64\Ppgfciee.exe Plljbkml.exe File created C:\Windows\SysWOW64\Mnpicg32.dll Aabfqp32.exe File created C:\Windows\SysWOW64\Adekhkng.exe Apjpglfn.exe File opened for modification C:\Windows\SysWOW64\Dnfkefad.exe Dfpcdh32.exe File created C:\Windows\SysWOW64\Ajqmqmfm.dll Hqjfgb32.exe File created C:\Windows\SysWOW64\Djffihmp.exe Dlcfnk32.exe File created C:\Windows\SysWOW64\Oidldm32.dll Eagdgaoe.exe File opened for modification C:\Windows\SysWOW64\Elcbmn32.exe Eiefqc32.exe File created C:\Windows\SysWOW64\Ofmiea32.exe Onfadc32.exe File created C:\Windows\SysWOW64\Bcmeogam.exe Bpnibl32.exe File opened for modification C:\Windows\SysWOW64\Bkjfhile.exe Bhljlnma.exe File opened for modification C:\Windows\SysWOW64\Bgagnjbi.exe Bhngbm32.exe File created C:\Windows\SysWOW64\Cilfka32.exe Cjifpdib.exe File opened for modification C:\Windows\SysWOW64\Gdophn32.exe Glhhgahg.exe File opened for modification C:\Windows\SysWOW64\Glajmppm.exe Gheola32.exe File created C:\Windows\SysWOW64\Homfboco.exe Hqjfgb32.exe File created C:\Windows\SysWOW64\Pedokpcm.exe Pfaopc32.exe File created C:\Windows\SysWOW64\Apeoom32.dll Elaego32.exe File opened for modification C:\Windows\SysWOW64\Febmfcjj.exe Fbdpjgjf.exe File created C:\Windows\SysWOW64\Iqmcmaja.exe Iiekkdjo.exe File created C:\Windows\SysWOW64\Oebffm32.exe Oafjfokk.exe File created C:\Windows\SysWOW64\Qbgglq32.dll Cgjjdijo.exe File created C:\Windows\SysWOW64\Epmahmcm.exe Elaego32.exe File created C:\Windows\SysWOW64\Epakcm32.exe Eleobngo.exe File opened for modification C:\Windows\SysWOW64\Flhkhnel.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Eagdgaoe.exe Eiplecnc.exe File created C:\Windows\SysWOW64\Gofhgafa.dll Gohqhl32.exe File created C:\Windows\SysWOW64\Abfcdgde.dll Hdailaib.exe File opened for modification C:\Windows\SysWOW64\Cgfqii32.exe Cdgdlnop.exe File opened for modification C:\Windows\SysWOW64\Cjifpdib.exe Cgjjdijo.exe File created C:\Windows\SysWOW64\Npgpnq32.dll Cjifpdib.exe File opened for modification C:\Windows\SysWOW64\Cofohkgi.exe Cqcomn32.exe File created C:\Windows\SysWOW64\Dieiap32.exe Dbkaee32.exe File created C:\Windows\SysWOW64\Pdqfnhpa.exe Ppejmj32.exe File created C:\Windows\SysWOW64\Dcojbm32.exe Deljfqmf.exe File created C:\Windows\SysWOW64\Hnimeg32.exe Hkkaik32.exe File created C:\Windows\SysWOW64\Jpneablg.dll Gegbpe32.exe File created C:\Windows\SysWOW64\Hcfenn32.exe Hqhiab32.exe File opened for modification C:\Windows\SysWOW64\Hqjfgb32.exe Hnljkf32.exe File created C:\Windows\SysWOW64\Anfjpa32.exe Ahjahk32.exe File opened for modification C:\Windows\SysWOW64\Eaegaaah.exe Dnfkefad.exe File opened for modification C:\Windows\SysWOW64\Ebpgoh32.exe Eodknifb.exe File opened for modification C:\Windows\SysWOW64\Fkmhij32.exe Fillabde.exe File opened for modification C:\Windows\SysWOW64\Ggphji32.exe Gohqhl32.exe File created C:\Windows\SysWOW64\Olokighn.exe Obffpa32.exe File opened for modification C:\Windows\SysWOW64\Bpnibl32.exe Bhgaan32.exe File opened for modification C:\Windows\SysWOW64\Cqlhlo32.exe Cnmlpd32.exe File created C:\Windows\SysWOW64\Dbidof32.exe Dnmhogjo.exe File created C:\Windows\SysWOW64\Ghaeaaki.exe Ginefe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3112 4084 WerFault.exe 253 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicddki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbanlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedokpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfqii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgooikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gheola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdloab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgagnjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkdoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdqfnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeglqpaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqplmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homfboco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfenn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmegkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpnlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6651ad78c166c577845b7d3efcc21c60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkjocjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glongpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohoogbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaegaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjpnjheg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obffpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjiod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjfhile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaghm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glajmppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopgikop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjpglfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmcbojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geplpfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdkdffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfkefad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adqbml32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdmcbojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkajof32.dll" Hopgikop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfobjdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljokk32.dll" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgcpnon.dll" Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elcbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbgdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdophn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfcdgde.dll" Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggeijok.dll" Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolilcpb.dll" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffbcq32.dll" Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poinfpdk.dll" Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaacb32.dll" Pfaopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkphll.dll" Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiahe32.dll" Fofhdidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laokdncm.dll" Ppgfciee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlqgnc32.dll" Dbkaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dapnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjpnjheg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6651ad78c166c577845b7d3efcc21c60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmlpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmjnjgd.dll" Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfenml32.dll" Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnjnnie.dll" Adekhkng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioinckp.dll" Geplpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiegacgd.dll" Plljbkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekelo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgloo32.dll" Hnbgdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqjfgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Degqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epakcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmbolk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkljhe32.dll" Dcaghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahbckfe.dll" Eibikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geplpfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Fbbcdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olokighn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbode32.dll" Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfjnm32.dll" Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbcdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdehgnqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkaihkih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qibhao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnibl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 1644 2508 6651ad78c166c577845b7d3efcc21c60N.exe 29 PID 2508 wrote to memory of 1644 2508 6651ad78c166c577845b7d3efcc21c60N.exe 29 PID 2508 wrote to memory of 1644 2508 6651ad78c166c577845b7d3efcc21c60N.exe 29 PID 2508 wrote to memory of 1644 2508 6651ad78c166c577845b7d3efcc21c60N.exe 29 PID 1644 wrote to memory of 2040 1644 Opqdcgib.exe 30 PID 1644 wrote to memory of 2040 1644 Opqdcgib.exe 30 PID 1644 wrote to memory of 2040 1644 Opqdcgib.exe 30 PID 1644 wrote to memory of 2040 1644 Opqdcgib.exe 30 PID 2040 wrote to memory of 1568 2040 Oclpdf32.exe 31 PID 2040 wrote to memory of 1568 2040 Oclpdf32.exe 31 PID 2040 wrote to memory of 1568 2040 Oclpdf32.exe 31 PID 2040 wrote to memory of 1568 2040 Oclpdf32.exe 31 PID 1568 wrote to memory of 2836 1568 Omddmkhl.exe 32 PID 1568 wrote to memory of 2836 1568 Omddmkhl.exe 32 PID 1568 wrote to memory of 2836 1568 Omddmkhl.exe 32 PID 1568 wrote to memory of 2836 1568 Omddmkhl.exe 32 PID 2836 wrote to memory of 2732 2836 Onfadc32.exe 33 PID 2836 wrote to memory of 2732 2836 Onfadc32.exe 33 PID 2836 wrote to memory of 2732 2836 Onfadc32.exe 33 PID 2836 wrote to memory of 2732 2836 Onfadc32.exe 33 PID 2732 wrote to memory of 2648 2732 Ofmiea32.exe 34 PID 2732 wrote to memory of 2648 2732 Ofmiea32.exe 34 PID 2732 wrote to memory of 2648 2732 Ofmiea32.exe 34 PID 2732 wrote to memory of 2648 2732 Ofmiea32.exe 34 PID 2648 wrote to memory of 2640 2648 Oafjfokk.exe 35 PID 2648 wrote to memory of 2640 2648 Oafjfokk.exe 35 PID 2648 wrote to memory of 2640 2648 Oafjfokk.exe 35 PID 2648 wrote to memory of 2640 2648 Oafjfokk.exe 35 PID 2640 wrote to memory of 2096 2640 Oebffm32.exe 36 PID 2640 wrote to memory of 2096 2640 Oebffm32.exe 36 PID 2640 wrote to memory of 2096 2640 Oebffm32.exe 36 PID 2640 wrote to memory of 2096 2640 Oebffm32.exe 36 PID 2096 wrote to memory of 2968 2096 Onkjocjd.exe 37 PID 2096 wrote to memory of 2968 2096 Onkjocjd.exe 37 PID 2096 wrote to memory of 2968 2096 Onkjocjd.exe 37 PID 2096 wrote to memory of 2968 2096 Onkjocjd.exe 37 PID 2968 wrote to memory of 3008 2968 Obffpa32.exe 38 PID 2968 wrote to memory of 3008 2968 Obffpa32.exe 38 PID 2968 wrote to memory of 3008 2968 Obffpa32.exe 38 PID 2968 wrote to memory of 3008 2968 Obffpa32.exe 38 PID 3008 wrote to memory of 2984 3008 Olokighn.exe 39 PID 3008 wrote to memory of 2984 3008 Olokighn.exe 39 PID 3008 wrote to memory of 2984 3008 Olokighn.exe 39 PID 3008 wrote to memory of 2984 3008 Olokighn.exe 39 PID 2984 wrote to memory of 924 2984 Oakcan32.exe 40 PID 2984 wrote to memory of 924 2984 Oakcan32.exe 40 PID 2984 wrote to memory of 924 2984 Oakcan32.exe 40 PID 2984 wrote to memory of 924 2984 Oakcan32.exe 40 PID 924 wrote to memory of 696 924 Phelnhnb.exe 41 PID 924 wrote to memory of 696 924 Phelnhnb.exe 41 PID 924 wrote to memory of 696 924 Phelnhnb.exe 41 PID 924 wrote to memory of 696 924 Phelnhnb.exe 41 PID 696 wrote to memory of 1212 696 Pjchjcmf.exe 42 PID 696 wrote to memory of 1212 696 Pjchjcmf.exe 42 PID 696 wrote to memory of 1212 696 Pjchjcmf.exe 42 PID 696 wrote to memory of 1212 696 Pjchjcmf.exe 42 PID 1212 wrote to memory of 2088 1212 Phhhchlp.exe 43 PID 1212 wrote to memory of 2088 1212 Phhhchlp.exe 43 PID 1212 wrote to memory of 2088 1212 Phhhchlp.exe 43 PID 1212 wrote to memory of 2088 1212 Phhhchlp.exe 43 PID 2088 wrote to memory of 1048 2088 Pfjiod32.exe 44 PID 2088 wrote to memory of 1048 2088 Pfjiod32.exe 44 PID 2088 wrote to memory of 1048 2088 Pfjiod32.exe 44 PID 2088 wrote to memory of 1048 2088 Pfjiod32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6651ad78c166c577845b7d3efcc21c60N.exe"C:\Users\Admin\AppData\Local\Temp\6651ad78c166c577845b7d3efcc21c60N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe33⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe36⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe40⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe42⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe46⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe49⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe50⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe52⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe59⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe60⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe66⤵PID:2244
-
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe67⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe70⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe72⤵PID:2880
-
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe77⤵PID:2980
-
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe79⤵PID:2904
-
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe80⤵PID:1672
-
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe82⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe83⤵PID:1552
-
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe84⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe85⤵PID:1772
-
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe86⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe87⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:376 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe89⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe90⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe91⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe92⤵PID:304
-
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe93⤵PID:2332
-
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe94⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe95⤵PID:2392
-
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe97⤵PID:1128
-
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe98⤵PID:1988
-
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe101⤵PID:2176
-
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe103⤵PID:2804
-
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe104⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Dlcfnk32.exeC:\Windows\system32\Dlcfnk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe111⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe112⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe113⤵PID:936
-
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe114⤵PID:1680
-
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe115⤵PID:2716
-
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe116⤵PID:2644
-
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-