Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 14:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6111624ac5c2d23ad5eda1447c39680N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e6111624ac5c2d23ad5eda1447c39680N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e6111624ac5c2d23ad5eda1447c39680N.exe
-
Size
640KB
-
MD5
e6111624ac5c2d23ad5eda1447c39680
-
SHA1
368924958bbee81b2434dfa66e8213c45f2ca7b1
-
SHA256
97a879e93257b6865b67abc3a077fb0f23794f06a5c8b576bf55092ecbdee795
-
SHA512
90f5288e2308674ee092a44c0180fa6b733259743997dab09aaacdcad09c3a9aa3dfa9bbafca65ed49a81a8d32044d8da2a06a4d029963528dd6ed139526a0b0
-
SSDEEP
12288:ITLydXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:k2dXHfNIVIIVy2jU13fS2hEYM9RIPk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lolbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnmao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjmaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Finjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkechk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odqiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjppnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edbmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcchoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdokjdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onognkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmajllkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajgidejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfonl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpbpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkekeqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifhlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehbgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Innhkknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkiniip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbjmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfocjhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojhnkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maojlaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbbfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddfhjma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhhepmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdelik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpbnlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epfjjnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahcoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einljkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piojmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnklol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdhfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqfoeng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkechk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdflilm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfigjgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpmqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knekknjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gniqhpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpffianh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdhakpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppgfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpflhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqfiqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmdpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccehgb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2456 Knicjipf.exe 2196 Kkmddmop.exe 2748 Lnklol32.exe 2780 Ljbmdmfc.exe 2704 Lkainp32.exe 2604 Nnghjm32.exe 764 Obngnphg.exe 2064 Oenppk32.exe 2824 Ohoiaf32.exe 2040 Ahcoli32.exe 768 Aqfiqjgb.exe 1808 Belhem32.exe 2292 Cnnpdaeb.exe 804 Caohfl32.exe 3048 Dejqenmh.exe 2816 Eacnpoqi.exe 1600 Flfbfken.exe 960 Fjqlid32.exe 2440 Gggihhkd.exe 1028 Gqomqm32.exe 112 Gknhlj32.exe 2460 Hgdhakpb.exe 992 Haafepbn.exe 2260 Hmhgjahb.exe 1164 Ipkmal32.exe 3032 Ipnigl32.exe 1716 Ibobhgno.exe 2892 Ilicgl32.exe 2128 Jdibfn32.exe 1684 Jambpb32.exe 2552 Jpboan32.exe 2212 Koglbkdl.exe 1804 Koobcj32.exe 2052 Kkechk32.exe 2712 Lkjlcjpb.exe 956 Lolbln32.exe 1576 Mlbokapi.exe 1460 Mdmdpd32.exe 1396 Mgnmao32.exe 1048 Minika32.exe 2136 Mqinpd32.exe 2140 Mjabhjec.exe 1372 Negffbdi.exe 1360 Nppgfp32.exe 2000 Npcdlp32.exe 944 Npeaapmb.exe 2308 Nbcmnklf.exe 2288 Nbfjckjc.exe 1232 Obhfhj32.exe 2972 Onognkne.exe 2660 Ohjhlqbc.exe 2728 Odqiaa32.exe 2620 Pfabbmeh.exe 3060 Pefoci32.exe 2980 Ppnpfagc.exe 280 Pifdog32.exe 1072 Pboihm32.exe 976 Qmijij32.exe 1464 Qohfcmhf.exe 2316 Anmcdjmn.exe 2176 Akadmnlg.exe 2600 Aghdboal.exe 2224 Acoegp32.exe 2356 Acabmpem.exe -
Loads dropped DLL 64 IoCs
pid Process 2028 e6111624ac5c2d23ad5eda1447c39680N.exe 2028 e6111624ac5c2d23ad5eda1447c39680N.exe 2456 Knicjipf.exe 2456 Knicjipf.exe 2196 Kkmddmop.exe 2196 Kkmddmop.exe 2748 Lnklol32.exe 2748 Lnklol32.exe 2780 Ljbmdmfc.exe 2780 Ljbmdmfc.exe 2704 Lkainp32.exe 2704 Lkainp32.exe 2604 Nnghjm32.exe 2604 Nnghjm32.exe 764 Obngnphg.exe 764 Obngnphg.exe 2064 Oenppk32.exe 2064 Oenppk32.exe 2824 Ohoiaf32.exe 2824 Ohoiaf32.exe 2040 Ahcoli32.exe 2040 Ahcoli32.exe 768 Aqfiqjgb.exe 768 Aqfiqjgb.exe 1808 Belhem32.exe 1808 Belhem32.exe 2292 Cnnpdaeb.exe 2292 Cnnpdaeb.exe 804 Caohfl32.exe 804 Caohfl32.exe 3048 Dejqenmh.exe 3048 Dejqenmh.exe 2816 Eacnpoqi.exe 2816 Eacnpoqi.exe 1600 Flfbfken.exe 1600 Flfbfken.exe 960 Fjqlid32.exe 960 Fjqlid32.exe 2440 Gggihhkd.exe 2440 Gggihhkd.exe 1028 Gqomqm32.exe 1028 Gqomqm32.exe 112 Gknhlj32.exe 112 Gknhlj32.exe 2460 Hgdhakpb.exe 2460 Hgdhakpb.exe 992 Haafepbn.exe 992 Haafepbn.exe 2260 Hmhgjahb.exe 2260 Hmhgjahb.exe 1164 Ipkmal32.exe 1164 Ipkmal32.exe 3032 Ipnigl32.exe 3032 Ipnigl32.exe 1716 Ibobhgno.exe 1716 Ibobhgno.exe 2892 Ilicgl32.exe 2892 Ilicgl32.exe 2128 Jdibfn32.exe 2128 Jdibfn32.exe 1684 Jambpb32.exe 1684 Jambpb32.exe 2552 Jpboan32.exe 2552 Jpboan32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpenogee.exe Jfjmaapg.exe File opened for modification C:\Windows\SysWOW64\Gkqjlpmd.exe Fahfcjfd.exe File created C:\Windows\SysWOW64\Pfknenql.dll Nbfllc32.exe File created C:\Windows\SysWOW64\Piejbpgk.exe Pplejj32.exe File opened for modification C:\Windows\SysWOW64\Cheoma32.exe Cjpble32.exe File created C:\Windows\SysWOW64\Gokfmlpl.dll Ebgbkihn.exe File opened for modification C:\Windows\SysWOW64\Lbcgje32.exe Lkhbfcii.exe File opened for modification C:\Windows\SysWOW64\Dlpbpa32.exe Dmkeoekf.exe File created C:\Windows\SysWOW64\Eqfogp32.exe Ejmgjf32.exe File created C:\Windows\SysWOW64\Mfaeln32.dll Mjabhjec.exe File created C:\Windows\SysWOW64\Kagnipna.exe Kkkigf32.exe File opened for modification C:\Windows\SysWOW64\Fejomjgg.exe Eehbgj32.exe File opened for modification C:\Windows\SysWOW64\Pcchoj32.exe Ocoodjan.exe File opened for modification C:\Windows\SysWOW64\Mkekeqjl.exe Mmajllkb.exe File created C:\Windows\SysWOW64\Lbgnie32.dll Jambpb32.exe File created C:\Windows\SysWOW64\Mdjppnkk.exe Ljelbeke.exe File created C:\Windows\SysWOW64\Nfbogh32.exe Nmjknb32.exe File created C:\Windows\SysWOW64\Nfmoabnf.exe Nhinhn32.exe File created C:\Windows\SysWOW64\Aejkhj32.dll Jiecdn32.exe File created C:\Windows\SysWOW64\Looajf32.exe Lpidii32.exe File created C:\Windows\SysWOW64\Cheoma32.exe Cjpble32.exe File opened for modification C:\Windows\SysWOW64\Dhapfd32.exe Dbbkhnbc.exe File created C:\Windows\SysWOW64\Oiiehk32.dll Hfpehq32.exe File created C:\Windows\SysWOW64\Ncmopefo.dll Hjhqaobe.exe File created C:\Windows\SysWOW64\Inllflpf.exe Hofodokn.exe File opened for modification C:\Windows\SysWOW64\Fmidimen.exe Fdapqgom.exe File created C:\Windows\SysWOW64\Hmcgdlhl.exe Hjbncqkj.exe File opened for modification C:\Windows\SysWOW64\Ocoodjan.exe Ojfjke32.exe File created C:\Windows\SysWOW64\Baifeggh.dll Fjlciihn.exe File created C:\Windows\SysWOW64\Jfdoaa32.dll Jpboan32.exe File created C:\Windows\SysWOW64\Qmijij32.exe Pboihm32.exe File created C:\Windows\SysWOW64\Bdiphm32.dll Ddcfca32.exe File created C:\Windows\SysWOW64\Lgfklaaf.dll Galllipa.exe File created C:\Windows\SysWOW64\Fkmcgg32.dll Ljbmdmfc.exe File created C:\Windows\SysWOW64\Ciemdiph.exe Colhlcig.exe File created C:\Windows\SysWOW64\Ifcdnajj.dll Admnob32.exe File created C:\Windows\SysWOW64\Mdmdpd32.exe Mlbokapi.exe File created C:\Windows\SysWOW64\Fhljgn32.exe Fbobog32.exe File created C:\Windows\SysWOW64\Hcomjk32.dll Mdpbnlbe.exe File created C:\Windows\SysWOW64\Abbldqca.dll Cqkace32.exe File created C:\Windows\SysWOW64\Iacecbpd.dll Lodgja32.exe File opened for modification C:\Windows\SysWOW64\Gegecopf.exe Fedinobh.exe File opened for modification C:\Windows\SysWOW64\Mdpbnlbe.exe Maojlaed.exe File created C:\Windows\SysWOW64\Nhinhn32.exe Nfhefc32.exe File created C:\Windows\SysWOW64\Inlnkj32.dll Pcchoj32.exe File opened for modification C:\Windows\SysWOW64\Qmkigb32.exe Qadhba32.exe File created C:\Windows\SysWOW64\Omahmnhm.dll Dlkggn32.exe File created C:\Windows\SysWOW64\Jgeppe32.exe Jaiknk32.exe File created C:\Windows\SysWOW64\Ojfjke32.exe Nbfllc32.exe File opened for modification C:\Windows\SysWOW64\Kelfbh32.exe Jomadaga.exe File opened for modification C:\Windows\SysWOW64\Cldagoib.exe Cpmpbncn.exe File created C:\Windows\SysWOW64\Fmidimen.exe Fdapqgom.exe File created C:\Windows\SysWOW64\Jajgam32.dll Domgcocg.exe File opened for modification C:\Windows\SysWOW64\Bhqico32.exe Aljinncb.exe File created C:\Windows\SysWOW64\Jambpb32.exe Jdibfn32.exe File created C:\Windows\SysWOW64\Eanlogem.dll Obhfhj32.exe File created C:\Windows\SysWOW64\Nnghjm32.exe Lkainp32.exe File opened for modification C:\Windows\SysWOW64\Bannajom.exe Bciaqnje.exe File opened for modification C:\Windows\SysWOW64\Mmecgl32.exe Mglkja32.exe File created C:\Windows\SysWOW64\Qfcinq32.dll Fapgolal.exe File created C:\Windows\SysWOW64\Bnhbkl32.dll Pfiafk32.exe File created C:\Windows\SysWOW64\Fgcknc32.dll Bflghh32.exe File opened for modification C:\Windows\SysWOW64\Loaaab32.exe Kkchkd32.exe File opened for modification C:\Windows\SysWOW64\Ddqinb32.exe Djkepi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2008 2620 WerFault.exe 369 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkmnpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiecdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaigmoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epllhlbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnklol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhapfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gniqhpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfikjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekkga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bocadg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcolgenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibcanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljelbeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abieajgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofkgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdokjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdinla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goagaded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjppnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdflopoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floccbai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdibfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbkhnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahfcjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blghhahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhacpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkainp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbmkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhbfcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbohooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhgjahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bciaqnje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpble32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaedmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahkiniip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganfhpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpflhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdneohbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgplicod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglkja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmddmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohoiaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldcjooac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhqaobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqico32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehnlmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqfoeng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlciihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnggq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koobcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcekdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enncqjna.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obngnphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejmgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfpaf32.dll" Ebgifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnofgcif.dll" Pggcdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnghjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajmoa32.dll" Bnjlcgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjfcgba.dll" Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkmfmdk.dll" Dfdbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggmnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcmpmlk.dll" Nqfigjgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmpbncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfallhc.dll" Hmcgdlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhjfm32.dll" Icohfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpgccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnoamj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fahfcjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkkigf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blbhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djcoen32.dll" Dejqenmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiibok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fedinobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjhpbic.dll" Gmacmkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpenogee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmhli32.dll" Lmomfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbochop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhaefbfi.dll" Blbhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnklol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifdog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhapfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eheeqgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajhgedl.dll" Jfdjbcim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejkhj32.dll" Jiecdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcijbch.dll" Dmfkcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccind32.dll" Gknhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhacjq32.dll" Qohfcmhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiipmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdnbipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelfbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccknke32.dll" Hakapfnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ighgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oajpjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnplhhdl.dll" Obpflhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iolojejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abjnei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhdoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbcnoc32.dll" Laepll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elhacpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehnlmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mleedphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejoq32.dll" Hdinla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdjcai.dll" Pefoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obpflhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epllhlbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhljgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmpiqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccehgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjmcnmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkccjcbp.dll" Hqdeciho.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2456 2028 e6111624ac5c2d23ad5eda1447c39680N.exe 29 PID 2028 wrote to memory of 2456 2028 e6111624ac5c2d23ad5eda1447c39680N.exe 29 PID 2028 wrote to memory of 2456 2028 e6111624ac5c2d23ad5eda1447c39680N.exe 29 PID 2028 wrote to memory of 2456 2028 e6111624ac5c2d23ad5eda1447c39680N.exe 29 PID 2456 wrote to memory of 2196 2456 Knicjipf.exe 30 PID 2456 wrote to memory of 2196 2456 Knicjipf.exe 30 PID 2456 wrote to memory of 2196 2456 Knicjipf.exe 30 PID 2456 wrote to memory of 2196 2456 Knicjipf.exe 30 PID 2196 wrote to memory of 2748 2196 Kkmddmop.exe 31 PID 2196 wrote to memory of 2748 2196 Kkmddmop.exe 31 PID 2196 wrote to memory of 2748 2196 Kkmddmop.exe 31 PID 2196 wrote to memory of 2748 2196 Kkmddmop.exe 31 PID 2748 wrote to memory of 2780 2748 Lnklol32.exe 32 PID 2748 wrote to memory of 2780 2748 Lnklol32.exe 32 PID 2748 wrote to memory of 2780 2748 Lnklol32.exe 32 PID 2748 wrote to memory of 2780 2748 Lnklol32.exe 32 PID 2780 wrote to memory of 2704 2780 Ljbmdmfc.exe 33 PID 2780 wrote to memory of 2704 2780 Ljbmdmfc.exe 33 PID 2780 wrote to memory of 2704 2780 Ljbmdmfc.exe 33 PID 2780 wrote to memory of 2704 2780 Ljbmdmfc.exe 33 PID 2704 wrote to memory of 2604 2704 Lkainp32.exe 34 PID 2704 wrote to memory of 2604 2704 Lkainp32.exe 34 PID 2704 wrote to memory of 2604 2704 Lkainp32.exe 34 PID 2704 wrote to memory of 2604 2704 Lkainp32.exe 34 PID 2604 wrote to memory of 764 2604 Nnghjm32.exe 35 PID 2604 wrote to memory of 764 2604 Nnghjm32.exe 35 PID 2604 wrote to memory of 764 2604 Nnghjm32.exe 35 PID 2604 wrote to memory of 764 2604 Nnghjm32.exe 35 PID 764 wrote to memory of 2064 764 Obngnphg.exe 36 PID 764 wrote to memory of 2064 764 Obngnphg.exe 36 PID 764 wrote to memory of 2064 764 Obngnphg.exe 36 PID 764 wrote to memory of 2064 764 Obngnphg.exe 36 PID 2064 wrote to memory of 2824 2064 Oenppk32.exe 37 PID 2064 wrote to memory of 2824 2064 Oenppk32.exe 37 PID 2064 wrote to memory of 2824 2064 Oenppk32.exe 37 PID 2064 wrote to memory of 2824 2064 Oenppk32.exe 37 PID 2824 wrote to memory of 2040 2824 Ohoiaf32.exe 38 PID 2824 wrote to memory of 2040 2824 Ohoiaf32.exe 38 PID 2824 wrote to memory of 2040 2824 Ohoiaf32.exe 38 PID 2824 wrote to memory of 2040 2824 Ohoiaf32.exe 38 PID 2040 wrote to memory of 768 2040 Ahcoli32.exe 39 PID 2040 wrote to memory of 768 2040 Ahcoli32.exe 39 PID 2040 wrote to memory of 768 2040 Ahcoli32.exe 39 PID 2040 wrote to memory of 768 2040 Ahcoli32.exe 39 PID 768 wrote to memory of 1808 768 Aqfiqjgb.exe 40 PID 768 wrote to memory of 1808 768 Aqfiqjgb.exe 40 PID 768 wrote to memory of 1808 768 Aqfiqjgb.exe 40 PID 768 wrote to memory of 1808 768 Aqfiqjgb.exe 40 PID 1808 wrote to memory of 2292 1808 Belhem32.exe 41 PID 1808 wrote to memory of 2292 1808 Belhem32.exe 41 PID 1808 wrote to memory of 2292 1808 Belhem32.exe 41 PID 1808 wrote to memory of 2292 1808 Belhem32.exe 41 PID 2292 wrote to memory of 804 2292 Cnnpdaeb.exe 42 PID 2292 wrote to memory of 804 2292 Cnnpdaeb.exe 42 PID 2292 wrote to memory of 804 2292 Cnnpdaeb.exe 42 PID 2292 wrote to memory of 804 2292 Cnnpdaeb.exe 42 PID 804 wrote to memory of 3048 804 Caohfl32.exe 43 PID 804 wrote to memory of 3048 804 Caohfl32.exe 43 PID 804 wrote to memory of 3048 804 Caohfl32.exe 43 PID 804 wrote to memory of 3048 804 Caohfl32.exe 43 PID 3048 wrote to memory of 2816 3048 Dejqenmh.exe 44 PID 3048 wrote to memory of 2816 3048 Dejqenmh.exe 44 PID 3048 wrote to memory of 2816 3048 Dejqenmh.exe 44 PID 3048 wrote to memory of 2816 3048 Dejqenmh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6111624ac5c2d23ad5eda1447c39680N.exe"C:\Users\Admin\AppData\Local\Temp\e6111624ac5c2d23ad5eda1447c39680N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Knicjipf.exeC:\Windows\system32\Knicjipf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Kkmddmop.exeC:\Windows\system32\Kkmddmop.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Lnklol32.exeC:\Windows\system32\Lnklol32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ljbmdmfc.exeC:\Windows\system32\Ljbmdmfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lkainp32.exeC:\Windows\system32\Lkainp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Nnghjm32.exeC:\Windows\system32\Nnghjm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Obngnphg.exeC:\Windows\system32\Obngnphg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Oenppk32.exeC:\Windows\system32\Oenppk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ohoiaf32.exeC:\Windows\system32\Ohoiaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ahcoli32.exeC:\Windows\system32\Ahcoli32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Belhem32.exeC:\Windows\system32\Belhem32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Cnnpdaeb.exeC:\Windows\system32\Cnnpdaeb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Caohfl32.exeC:\Windows\system32\Caohfl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Dejqenmh.exeC:\Windows\system32\Dejqenmh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Eacnpoqi.exeC:\Windows\system32\Eacnpoqi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Flfbfken.exeC:\Windows\system32\Flfbfken.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Fjqlid32.exeC:\Windows\system32\Fjqlid32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Gqomqm32.exeC:\Windows\system32\Gqomqm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Gknhlj32.exeC:\Windows\system32\Gknhlj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Hgdhakpb.exeC:\Windows\system32\Hgdhakpb.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Ipnigl32.exeC:\Windows\system32\Ipnigl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Ibobhgno.exeC:\Windows\system32\Ibobhgno.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Ilicgl32.exeC:\Windows\system32\Ilicgl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Jdibfn32.exeC:\Windows\system32\Jdibfn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Jambpb32.exeC:\Windows\system32\Jambpb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Jpboan32.exeC:\Windows\system32\Jpboan32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Koglbkdl.exeC:\Windows\system32\Koglbkdl.exe33⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Koobcj32.exeC:\Windows\system32\Koobcj32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Kkechk32.exeC:\Windows\system32\Kkechk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Lkjlcjpb.exeC:\Windows\system32\Lkjlcjpb.exe36⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Lolbln32.exeC:\Windows\system32\Lolbln32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Mlbokapi.exeC:\Windows\system32\Mlbokapi.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mgnmao32.exeC:\Windows\system32\Mgnmao32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Minika32.exeC:\Windows\system32\Minika32.exe41⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mqinpd32.exeC:\Windows\system32\Mqinpd32.exe42⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Mjabhjec.exeC:\Windows\system32\Mjabhjec.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Negffbdi.exeC:\Windows\system32\Negffbdi.exe44⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Nppgfp32.exeC:\Windows\system32\Nppgfp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Npcdlp32.exeC:\Windows\system32\Npcdlp32.exe46⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Npeaapmb.exeC:\Windows\system32\Npeaapmb.exe47⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Nbcmnklf.exeC:\Windows\system32\Nbcmnklf.exe48⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nbfjckjc.exeC:\Windows\system32\Nbfjckjc.exe49⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Obhfhj32.exeC:\Windows\system32\Obhfhj32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Onognkne.exeC:\Windows\system32\Onognkne.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ohjhlqbc.exeC:\Windows\system32\Ohjhlqbc.exe52⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Odqiaa32.exeC:\Windows\system32\Odqiaa32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pfabbmeh.exeC:\Windows\system32\Pfabbmeh.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Pefoci32.exeC:\Windows\system32\Pefoci32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Ppnpfagc.exeC:\Windows\system32\Ppnpfagc.exe56⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pifdog32.exeC:\Windows\system32\Pifdog32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Pboihm32.exeC:\Windows\system32\Pboihm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Qmijij32.exeC:\Windows\system32\Qmijij32.exe59⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Qohfcmhf.exeC:\Windows\system32\Qohfcmhf.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Anmcdjmn.exeC:\Windows\system32\Anmcdjmn.exe61⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Akadmnlg.exeC:\Windows\system32\Akadmnlg.exe62⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Aghdboal.exeC:\Windows\system32\Aghdboal.exe63⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Acoegp32.exeC:\Windows\system32\Acoegp32.exe64⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Acabmpem.exeC:\Windows\system32\Acabmpem.exe65⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Abfonl32.exeC:\Windows\system32\Abfonl32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Bllcke32.exeC:\Windows\system32\Bllcke32.exe67⤵PID:1532
-
C:\Windows\SysWOW64\Bdghpggf.exeC:\Windows\system32\Bdghpggf.exe68⤵PID:1832
-
C:\Windows\SysWOW64\Bnplhm32.exeC:\Windows\system32\Bnplhm32.exe69⤵PID:1752
-
C:\Windows\SysWOW64\Bkcmba32.exeC:\Windows\system32\Bkcmba32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Bjhjcm32.exeC:\Windows\system32\Bjhjcm32.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Bjkfhm32.exeC:\Windows\system32\Bjkfhm32.exe72⤵PID:2560
-
C:\Windows\SysWOW64\Cjmcnmmc.exeC:\Windows\system32\Cjmcnmmc.exe73⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Ccehgb32.exeC:\Windows\system32\Ccehgb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Colhlcig.exeC:\Windows\system32\Colhlcig.exe75⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Ciemdiph.exeC:\Windows\system32\Ciemdiph.exe76⤵PID:2092
-
C:\Windows\SysWOW64\Celnjj32.exeC:\Windows\system32\Celnjj32.exe77⤵PID:1632
-
C:\Windows\SysWOW64\Cenjoi32.exeC:\Windows\system32\Cenjoi32.exe78⤵PID:2236
-
C:\Windows\SysWOW64\Dbbkhnbc.exeC:\Windows\system32\Dbbkhnbc.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Dhapfd32.exeC:\Windows\system32\Dhapfd32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Eiibok32.exeC:\Windows\system32\Eiibok32.exe81⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Eofkgb32.exeC:\Windows\system32\Eofkgb32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Ehnpph32.exeC:\Windows\system32\Ehnpph32.exe83⤵PID:2008
-
C:\Windows\SysWOW64\Einljkji.exeC:\Windows\system32\Einljkji.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Eloekf32.exeC:\Windows\system32\Eloekf32.exe85⤵PID:1568
-
C:\Windows\SysWOW64\Eheeqgmn.exeC:\Windows\system32\Eheeqgmn.exe86⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Fanjil32.exeC:\Windows\system32\Fanjil32.exe87⤵PID:2016
-
C:\Windows\SysWOW64\Fapgolal.exeC:\Windows\system32\Fapgolal.exe88⤵
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Fmggdm32.exeC:\Windows\system32\Fmggdm32.exe89⤵PID:2692
-
C:\Windows\SysWOW64\Fdapqgom.exeC:\Windows\system32\Fdapqgom.exe90⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Fmidimen.exeC:\Windows\system32\Fmidimen.exe91⤵PID:2716
-
C:\Windows\SysWOW64\Fedinobh.exeC:\Windows\system32\Fedinobh.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Gegecopf.exeC:\Windows\system32\Gegecopf.exe93⤵PID:1496
-
C:\Windows\SysWOW64\Ganfhpfj.exeC:\Windows\system32\Ganfhpfj.exe94⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Goagaded.exeC:\Windows\system32\Goagaded.exe95⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Godcgcca.exeC:\Windows\system32\Godcgcca.exe96⤵PID:2508
-
C:\Windows\SysWOW64\Gniqhpgi.exeC:\Windows\system32\Gniqhpgi.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Hnkmnpef.exeC:\Windows\system32\Hnkmnpef.exe98⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Hjbncqkj.exeC:\Windows\system32\Hjbncqkj.exe99⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Hmcgdlhl.exeC:\Windows\system32\Hmcgdlhl.exe100⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Hjggnp32.exeC:\Windows\system32\Hjggnp32.exe101⤵PID:1508
-
C:\Windows\SysWOW64\Hcolgenf.exeC:\Windows\system32\Hcolgenf.exe102⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\Hmhppk32.exeC:\Windows\system32\Hmhppk32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Hfpehq32.exeC:\Windows\system32\Hfpehq32.exe104⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Inkimc32.exeC:\Windows\system32\Inkimc32.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Ibibcanh.exeC:\Windows\system32\Ibibcanh.exe106⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Ijdggc32.exeC:\Windows\system32\Ijdggc32.exe107⤵PID:2200
-
C:\Windows\SysWOW64\Ighgah32.exeC:\Windows\system32\Ighgah32.exe108⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Icohfi32.exeC:\Windows\system32\Icohfi32.exe109⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Jpfikjfe.exeC:\Windows\system32\Jpfikjfe.exe110⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Jfbnmckp.exeC:\Windows\system32\Jfbnmckp.exe111⤵PID:2536
-
C:\Windows\SysWOW64\Jfdjbcim.exeC:\Windows\system32\Jfdjbcim.exe112⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Jiecdn32.exeC:\Windows\system32\Jiecdn32.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Kjimafji.exeC:\Windows\system32\Kjimafji.exe114⤵PID:528
-
C:\Windows\SysWOW64\Kkkigf32.exeC:\Windows\system32\Kkkigf32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Kagnipna.exeC:\Windows\system32\Kagnipna.exe116⤵PID:1708
-
C:\Windows\SysWOW64\Kgdgaflh.exeC:\Windows\system32\Kgdgaflh.exe117⤵PID:2676
-
C:\Windows\SysWOW64\Lgipmf32.exeC:\Windows\system32\Lgipmf32.exe118⤵PID:688
-
C:\Windows\SysWOW64\Lodeahen.exeC:\Windows\system32\Lodeahen.exe119⤵PID:1320
-
C:\Windows\SysWOW64\Lhmijn32.exeC:\Windows\system32\Lhmijn32.exe120⤵PID:900
-
C:\Windows\SysWOW64\Ldcjooac.exeC:\Windows\system32\Ldcjooac.exe121⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-