Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 04:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c52030e22a4e42628744d09eafda20b0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c52030e22a4e42628744d09eafda20b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c52030e22a4e42628744d09eafda20b0N.exe
-
Size
92KB
-
MD5
c52030e22a4e42628744d09eafda20b0
-
SHA1
9c4a7f52ca6f6aa81542c340580c7870ab3afefe
-
SHA256
d4de772ca06a904e3c3e7a8a8ef2b2d3b36f457a7f420b983594ffa719796691
-
SHA512
8e7592ac5b5d2b4a0ecd35dfd1cc8ef57ebbbda5a97c7cc0c64ba9bcff3987751f08d5a7a6b41c9d0ecf96fb32b8359b901fe3c8140e0ee9e0f0f092c1d4fc38
-
SSDEEP
1536:Sh+7+aJVmtEd4ySFqw/y5J+0GeVsDCE6DLSVb5YN1jXq+66DFUABABOVLefE3:/ycmehQgmsVsD2LSVm1j6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbnjjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdkpiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acicla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekghdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imggplgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgifgnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeoaffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmcefmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqkmplen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogolc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2980 Paaddgkj.exe 2760 Ppddpd32.exe 2996 Phklaacg.exe 1612 Pacajg32.exe 2612 Pdbmfb32.exe 2632 Pjleclph.exe 1972 Pmjaohol.exe 1476 Ppinkcnp.exe 1644 Peefcjlg.exe 1736 Pmmneg32.exe 2932 Ponklpcg.exe 532 Picojhcm.exe 2000 Plbkfdba.exe 2312 Paocnkph.exe 2096 Qhilkege.exe 2868 Qobdgo32.exe 1592 Qemldifo.exe 872 Qlfdac32.exe 492 Qoeamo32.exe 1652 Qmhahkdj.exe 1960 Adaiee32.exe 1104 Aognbnkm.exe 1248 Aaejojjq.exe 1728 Addfkeid.exe 604 Aknngo32.exe 2776 Aahfdihn.exe 2716 Acicla32.exe 944 Akpkmo32.exe 2972 Apmcefmf.exe 2560 Aejlnmkm.exe 2680 Anadojlo.exe 2800 Afliclij.exe 2808 Bhkeohhn.exe 1600 Bpbmqe32.exe 2976 Bcpimq32.exe 2952 Bjjaikoa.exe 764 Bhmaeg32.exe 3008 Bogjaamh.exe 2252 Bcbfbp32.exe 2428 Bhonjg32.exe 2916 Bknjfb32.exe 948 Bnlgbnbp.exe 940 Bgdkkc32.exe 1532 Bkpglbaj.exe 1300 Bqmpdioa.exe 2440 Bkbdabog.exe 2156 Bbllnlfd.exe 2184 Bqolji32.exe 2176 Ccnifd32.exe 2752 Cgidfcdk.exe 2832 Cjhabndo.exe 2696 Cncmcm32.exe 1328 Cqaiph32.exe 1732 Ccpeld32.exe 1572 Cglalbbi.exe 1996 Cfoaho32.exe 3016 Cnejim32.exe 2056 Cqdfehii.exe 1768 Cogfqe32.exe 2648 Cgnnab32.exe 692 Cjljnn32.exe 1272 Ciokijfd.exe 3044 Cqfbjhgf.exe 1704 Coicfd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 c52030e22a4e42628744d09eafda20b0N.exe 2644 c52030e22a4e42628744d09eafda20b0N.exe 2980 Paaddgkj.exe 2980 Paaddgkj.exe 2760 Ppddpd32.exe 2760 Ppddpd32.exe 2996 Phklaacg.exe 2996 Phklaacg.exe 1612 Pacajg32.exe 1612 Pacajg32.exe 2612 Pdbmfb32.exe 2612 Pdbmfb32.exe 2632 Pjleclph.exe 2632 Pjleclph.exe 1972 Pmjaohol.exe 1972 Pmjaohol.exe 1476 Ppinkcnp.exe 1476 Ppinkcnp.exe 1644 Peefcjlg.exe 1644 Peefcjlg.exe 1736 Pmmneg32.exe 1736 Pmmneg32.exe 2932 Ponklpcg.exe 2932 Ponklpcg.exe 532 Picojhcm.exe 532 Picojhcm.exe 2000 Plbkfdba.exe 2000 Plbkfdba.exe 2312 Paocnkph.exe 2312 Paocnkph.exe 2096 Qhilkege.exe 2096 Qhilkege.exe 2868 Qobdgo32.exe 2868 Qobdgo32.exe 1592 Qemldifo.exe 1592 Qemldifo.exe 872 Qlfdac32.exe 872 Qlfdac32.exe 492 Qoeamo32.exe 492 Qoeamo32.exe 1652 Qmhahkdj.exe 1652 Qmhahkdj.exe 1960 Adaiee32.exe 1960 Adaiee32.exe 1104 Aognbnkm.exe 1104 Aognbnkm.exe 1248 Aaejojjq.exe 1248 Aaejojjq.exe 1728 Addfkeid.exe 1728 Addfkeid.exe 604 Aknngo32.exe 604 Aknngo32.exe 2776 Aahfdihn.exe 2776 Aahfdihn.exe 2716 Acicla32.exe 2716 Acicla32.exe 944 Akpkmo32.exe 944 Akpkmo32.exe 2972 Apmcefmf.exe 2972 Apmcefmf.exe 2560 Aejlnmkm.exe 2560 Aejlnmkm.exe 2680 Anadojlo.exe 2680 Anadojlo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnfdih32.dll Cglalbbi.exe File created C:\Windows\SysWOW64\Cbpjnb32.dll Dcdkef32.exe File opened for modification C:\Windows\SysWOW64\Hadcipbi.exe Hjmlhbbg.exe File created C:\Windows\SysWOW64\Pknbhi32.dll Jimdcqom.exe File created C:\Windows\SysWOW64\Cbjlhpkb.exe Ckpckece.exe File created C:\Windows\SysWOW64\Imggplgm.exe Iikkon32.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Difqji32.exe Dekdikhc.exe File created C:\Windows\SysWOW64\Mlpckqje.dll Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Cqdfehii.exe Cnejim32.exe File created C:\Windows\SysWOW64\Eblelb32.exe Epnhpglg.exe File opened for modification C:\Windows\SysWOW64\Iocgfhhc.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Ikbilijo.dll Jfaeme32.exe File opened for modification C:\Windows\SysWOW64\Aknngo32.exe Addfkeid.exe File created C:\Windows\SysWOW64\Dnqlmq32.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Hqmkfaia.dll Gpidki32.exe File opened for modification C:\Windows\SysWOW64\Iebldo32.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Lpqlemaj.exe Llepen32.exe File created C:\Windows\SysWOW64\Adaiee32.exe Qmhahkdj.exe File created C:\Windows\SysWOW64\Boddiidc.dll Bhkeohhn.exe File created C:\Windows\SysWOW64\Cncmcm32.exe Cjhabndo.exe File opened for modification C:\Windows\SysWOW64\Bnnjlmid.dll Dboeco32.exe File created C:\Windows\SysWOW64\Mobafhlg.dll Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Kekkiq32.exe Kapohbfp.exe File created C:\Windows\SysWOW64\Phklaacg.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Pdbmfb32.exe Pacajg32.exe File created C:\Windows\SysWOW64\Cqdfehii.exe Cnejim32.exe File created C:\Windows\SysWOW64\Finlmjmi.dll Ckbpqe32.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eeagimdf.exe File created C:\Windows\SysWOW64\Ibcphc32.exe Ioeclg32.exe File created C:\Windows\SysWOW64\Jpjifjdg.exe Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Cjhabndo.exe Cgidfcdk.exe File created C:\Windows\SysWOW64\Ncmljjmf.dll Cncmcm32.exe File created C:\Windows\SysWOW64\Eldiehbk.exe Emaijk32.exe File created C:\Windows\SysWOW64\Iakino32.exe Ibhicbao.exe File opened for modification C:\Windows\SysWOW64\Kbmome32.exe Kjeglh32.exe File opened for modification C:\Windows\SysWOW64\Gncnmane.exe Glbaei32.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Fooembgb.exe Fggmldfp.exe File created C:\Windows\SysWOW64\Hellqgnm.dll Glbaei32.exe File created C:\Windows\SysWOW64\Lifcib32.exe Lekghdad.exe File created C:\Windows\SysWOW64\Jefndikl.dll Cgidfcdk.exe File opened for modification C:\Windows\SysWOW64\Hcjilgdb.exe Hqkmplen.exe File created C:\Windows\SysWOW64\Ioeclg32.exe Imggplgm.exe File created C:\Windows\SysWOW64\Dnjoco32.exe Dhpgfeao.exe File opened for modification C:\Windows\SysWOW64\Eafkhn32.exe Eogolc32.exe File created C:\Windows\SysWOW64\Ijaaae32.exe Iknafhjb.exe File created C:\Windows\SysWOW64\Ljnfmlph.dll Jgjkfi32.exe File created C:\Windows\SysWOW64\Jpepkk32.exe Jmfcop32.exe File created C:\Windows\SysWOW64\Cnejim32.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Dpklkgoj.exe Dahkok32.exe File created C:\Windows\SysWOW64\Ebqngb32.exe Eoebgcol.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Ghgfmi32.dll Qemldifo.exe File created C:\Windows\SysWOW64\Bcpimq32.exe Bpbmqe32.exe File created C:\Windows\SysWOW64\Jnagmc32.exe Jjfkmdlg.exe File opened for modification C:\Windows\SysWOW64\Afliclij.exe Anadojlo.exe File opened for modification C:\Windows\SysWOW64\Gonale32.exe Gkcekfad.exe File created C:\Windows\SysWOW64\Hqkmplen.exe Hmpaom32.exe File opened for modification C:\Windows\SysWOW64\Gkddco32.dll Iamfdo32.exe File created C:\Windows\SysWOW64\Bbjjjgna.dll Pjleclph.exe File created C:\Windows\SysWOW64\Dhcihn32.dll Elkofg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3664 3396 WerFault.exe 320 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogfqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picojhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbnjjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpqlemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblhmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c52030e22a4e42628744d09eafda20b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbkfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqlafap.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghmkmk.dll" Dekdikhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnpam32.dll" Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndofg32.dll" Dnhbmpkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkcekfad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcohahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeefjhh.dll" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncgkioi.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hddmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addfkeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhgoifc.dll" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjljnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdpbj32.dll" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdilhpcp.dll" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakcpl32.dll" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgoqijf.dll" Gonale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeoaffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgjldnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klcgpkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjeglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnagmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll" Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbjlj32.dll" Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjilgdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdaaanl.dll" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgoff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adaiee32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2980 2644 c52030e22a4e42628744d09eafda20b0N.exe 30 PID 2644 wrote to memory of 2980 2644 c52030e22a4e42628744d09eafda20b0N.exe 30 PID 2644 wrote to memory of 2980 2644 c52030e22a4e42628744d09eafda20b0N.exe 30 PID 2644 wrote to memory of 2980 2644 c52030e22a4e42628744d09eafda20b0N.exe 30 PID 2980 wrote to memory of 2760 2980 Paaddgkj.exe 31 PID 2980 wrote to memory of 2760 2980 Paaddgkj.exe 31 PID 2980 wrote to memory of 2760 2980 Paaddgkj.exe 31 PID 2980 wrote to memory of 2760 2980 Paaddgkj.exe 31 PID 2760 wrote to memory of 2996 2760 Ppddpd32.exe 32 PID 2760 wrote to memory of 2996 2760 Ppddpd32.exe 32 PID 2760 wrote to memory of 2996 2760 Ppddpd32.exe 32 PID 2760 wrote to memory of 2996 2760 Ppddpd32.exe 32 PID 2996 wrote to memory of 1612 2996 Phklaacg.exe 33 PID 2996 wrote to memory of 1612 2996 Phklaacg.exe 33 PID 2996 wrote to memory of 1612 2996 Phklaacg.exe 33 PID 2996 wrote to memory of 1612 2996 Phklaacg.exe 33 PID 1612 wrote to memory of 2612 1612 Pacajg32.exe 34 PID 1612 wrote to memory of 2612 1612 Pacajg32.exe 34 PID 1612 wrote to memory of 2612 1612 Pacajg32.exe 34 PID 1612 wrote to memory of 2612 1612 Pacajg32.exe 34 PID 2612 wrote to memory of 2632 2612 Pdbmfb32.exe 35 PID 2612 wrote to memory of 2632 2612 Pdbmfb32.exe 35 PID 2612 wrote to memory of 2632 2612 Pdbmfb32.exe 35 PID 2612 wrote to memory of 2632 2612 Pdbmfb32.exe 35 PID 2632 wrote to memory of 1972 2632 Pjleclph.exe 36 PID 2632 wrote to memory of 1972 2632 Pjleclph.exe 36 PID 2632 wrote to memory of 1972 2632 Pjleclph.exe 36 PID 2632 wrote to memory of 1972 2632 Pjleclph.exe 36 PID 1972 wrote to memory of 1476 1972 Pmjaohol.exe 37 PID 1972 wrote to memory of 1476 1972 Pmjaohol.exe 37 PID 1972 wrote to memory of 1476 1972 Pmjaohol.exe 37 PID 1972 wrote to memory of 1476 1972 Pmjaohol.exe 37 PID 1476 wrote to memory of 1644 1476 Ppinkcnp.exe 38 PID 1476 wrote to memory of 1644 1476 Ppinkcnp.exe 38 PID 1476 wrote to memory of 1644 1476 Ppinkcnp.exe 38 PID 1476 wrote to memory of 1644 1476 Ppinkcnp.exe 38 PID 1644 wrote to memory of 1736 1644 Peefcjlg.exe 39 PID 1644 wrote to memory of 1736 1644 Peefcjlg.exe 39 PID 1644 wrote to memory of 1736 1644 Peefcjlg.exe 39 PID 1644 wrote to memory of 1736 1644 Peefcjlg.exe 39 PID 1736 wrote to memory of 2932 1736 Pmmneg32.exe 40 PID 1736 wrote to memory of 2932 1736 Pmmneg32.exe 40 PID 1736 wrote to memory of 2932 1736 Pmmneg32.exe 40 PID 1736 wrote to memory of 2932 1736 Pmmneg32.exe 40 PID 2932 wrote to memory of 532 2932 Ponklpcg.exe 41 PID 2932 wrote to memory of 532 2932 Ponklpcg.exe 41 PID 2932 wrote to memory of 532 2932 Ponklpcg.exe 41 PID 2932 wrote to memory of 532 2932 Ponklpcg.exe 41 PID 532 wrote to memory of 2000 532 Picojhcm.exe 42 PID 532 wrote to memory of 2000 532 Picojhcm.exe 42 PID 532 wrote to memory of 2000 532 Picojhcm.exe 42 PID 532 wrote to memory of 2000 532 Picojhcm.exe 42 PID 2000 wrote to memory of 2312 2000 Plbkfdba.exe 43 PID 2000 wrote to memory of 2312 2000 Plbkfdba.exe 43 PID 2000 wrote to memory of 2312 2000 Plbkfdba.exe 43 PID 2000 wrote to memory of 2312 2000 Plbkfdba.exe 43 PID 2312 wrote to memory of 2096 2312 Paocnkph.exe 44 PID 2312 wrote to memory of 2096 2312 Paocnkph.exe 44 PID 2312 wrote to memory of 2096 2312 Paocnkph.exe 44 PID 2312 wrote to memory of 2096 2312 Paocnkph.exe 44 PID 2096 wrote to memory of 2868 2096 Qhilkege.exe 45 PID 2096 wrote to memory of 2868 2096 Qhilkege.exe 45 PID 2096 wrote to memory of 2868 2096 Qhilkege.exe 45 PID 2096 wrote to memory of 2868 2096 Qhilkege.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c52030e22a4e42628744d09eafda20b0N.exe"C:\Users\Admin\AppData\Local\Temp\c52030e22a4e42628744d09eafda20b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe36⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe43⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe44⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe46⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe48⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe50⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe61⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe68⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe70⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe72⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe73⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe74⤵PID:2788
-
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe75⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe77⤵PID:2208
-
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe78⤵PID:2256
-
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe79⤵PID:2416
-
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe80⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe82⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe83⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Dgknkf32.exeC:\Windows\system32\Dgknkf32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe85⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe86⤵PID:2200
-
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe87⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe88⤵PID:2600
-
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe89⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe90⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe92⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe93⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe94⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe95⤵PID:1540
-
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Epnhpglg.exeC:\Windows\system32\Epnhpglg.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe100⤵PID:2672
-
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe101⤵PID:2188
-
C:\Windows\SysWOW64\Emaijk32.exeC:\Windows\system32\Emaijk32.exe102⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe103⤵PID:2880
-
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe105⤵PID:1144
-
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe106⤵PID:1340
-
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe107⤵PID:2168
-
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe108⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe109⤵PID:1632
-
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe110⤵PID:3056
-
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe111⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Epeoaffo.exeC:\Windows\system32\Epeoaffo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe114⤵PID:2236
-
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe115⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe116⤵PID:1664
-
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe118⤵PID:1836
-
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe119⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe121⤵PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-