Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 04:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe
-
Size
380KB
-
MD5
1cf189d57d9121d7db5fe3bd49582b53
-
SHA1
e4ad23d97525fb675c9f2b7f502e810a59c1c8f0
-
SHA256
e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021
-
SHA512
b50197400baf0b062275458cc4823349075d366c45784accbf62f9f1ee9715e3be4b0bfef983bbf7af57b90452b75fa7c2a8115c1bf58896b15701a0a1a4c709
-
SSDEEP
6144:4r8MbccmCXNmCN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58Vh:4r8cmCROtoq5t6NSN6G5tbt5t6NSN6T
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iieepbje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhgpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamnhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpdbohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqlhkofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imjkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flclam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofcbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpabpcdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimmjffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giolnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhkopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbcen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhbkohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oioipf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2352 Mkndhabp.exe 2144 Mbhlek32.exe 2648 Mclebc32.exe 2788 Mnaiol32.exe 2660 Mfmndn32.exe 2680 Mcqombic.exe 2576 Mmicfh32.exe 2100 Mcckcbgp.exe 2852 Npjlhcmd.exe 1944 Nfdddm32.exe 1184 Nameek32.exe 1448 Njfjnpgp.exe 1460 Neknki32.exe 2920 Njhfcp32.exe 1816 Nabopjmj.exe 448 Onfoin32.exe 2052 Ojmpooah.exe 2504 Odedge32.exe 1348 Obhdcanc.exe 2520 Olpilg32.exe 3000 Offmipej.exe 644 Oidiekdn.exe 1876 Ooabmbbe.exe 1020 Oekjjl32.exe 2624 Ohiffh32.exe 1588 Opqoge32.exe 2016 Obokcqhk.exe 2692 Piicpk32.exe 2748 Padhdm32.exe 2272 Pepcelel.exe 2896 Pafdjmkq.exe 2556 Pdeqfhjd.exe 2832 Pgcmbcih.exe 2076 Pojecajj.exe 2364 Pmmeon32.exe 1948 Pkaehb32.exe 2872 Pmpbdm32.exe 2912 Pcljmdmj.exe 2892 Pleofj32.exe 2640 Qdlggg32.exe 3040 Qgjccb32.exe 712 Qpbglhjq.exe 1744 Qdncmgbj.exe 944 Qcachc32.exe 2212 Apedah32.exe 3012 Accqnc32.exe 1496 Agolnbok.exe 316 Ahpifj32.exe 1608 Apgagg32.exe 1976 Aojabdlf.exe 1604 Aaimopli.exe 2804 Ajpepm32.exe 2580 Alnalh32.exe 2656 Aomnhd32.exe 2664 Achjibcl.exe 2360 Afffenbp.exe 2368 Ahebaiac.exe 2868 Alqnah32.exe 1028 Anbkipok.exe 2928 Abmgjo32.exe 2456 Ahgofi32.exe 1728 Aoagccfn.exe 1312 Andgop32.exe 1804 Aqbdkk32.exe -
Loads dropped DLL 64 IoCs
pid Process 784 e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe 784 e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe 2352 Mkndhabp.exe 2352 Mkndhabp.exe 2144 Mbhlek32.exe 2144 Mbhlek32.exe 2648 Mclebc32.exe 2648 Mclebc32.exe 2788 Mnaiol32.exe 2788 Mnaiol32.exe 2660 Mfmndn32.exe 2660 Mfmndn32.exe 2680 Mcqombic.exe 2680 Mcqombic.exe 2576 Mmicfh32.exe 2576 Mmicfh32.exe 2100 Mcckcbgp.exe 2100 Mcckcbgp.exe 2852 Npjlhcmd.exe 2852 Npjlhcmd.exe 1944 Nfdddm32.exe 1944 Nfdddm32.exe 1184 Nameek32.exe 1184 Nameek32.exe 1448 Njfjnpgp.exe 1448 Njfjnpgp.exe 1460 Neknki32.exe 1460 Neknki32.exe 2920 Njhfcp32.exe 2920 Njhfcp32.exe 1816 Nabopjmj.exe 1816 Nabopjmj.exe 448 Onfoin32.exe 448 Onfoin32.exe 2052 Ojmpooah.exe 2052 Ojmpooah.exe 2504 Odedge32.exe 2504 Odedge32.exe 1348 Obhdcanc.exe 1348 Obhdcanc.exe 2520 Olpilg32.exe 2520 Olpilg32.exe 3000 Offmipej.exe 3000 Offmipej.exe 644 Oidiekdn.exe 644 Oidiekdn.exe 1876 Ooabmbbe.exe 1876 Ooabmbbe.exe 1020 Oekjjl32.exe 1020 Oekjjl32.exe 2624 Ohiffh32.exe 2624 Ohiffh32.exe 1588 Opqoge32.exe 1588 Opqoge32.exe 2016 Obokcqhk.exe 2016 Obokcqhk.exe 2692 Piicpk32.exe 2692 Piicpk32.exe 2748 Padhdm32.exe 2748 Padhdm32.exe 2272 Pepcelel.exe 2272 Pepcelel.exe 2896 Pafdjmkq.exe 2896 Pafdjmkq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aobpfb32.exe Alddjg32.exe File opened for modification C:\Windows\SysWOW64\Hmbndmkb.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Onfoin32.exe File created C:\Windows\SysWOW64\Fameoj32.dll Gagkjbaf.exe File created C:\Windows\SysWOW64\Gcmamj32.exe Gqodqodl.exe File created C:\Windows\SysWOW64\Ldheebad.exe Kajiigba.exe File created C:\Windows\SysWOW64\Lkbmbl32.exe Ldheebad.exe File opened for modification C:\Windows\SysWOW64\Oefjdgjk.exe Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File created C:\Windows\SysWOW64\Cjonncab.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Giolnomh.exe Gecpnp32.exe File created C:\Windows\SysWOW64\Lgdqap32.dll Ekmfne32.exe File opened for modification C:\Windows\SysWOW64\Gnbejb32.exe Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Elibpg32.exe File created C:\Windows\SysWOW64\Fdkmeiei.exe Famaimfe.exe File created C:\Windows\SysWOW64\Oekjjl32.exe Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Joggci32.exe Jjkkbjln.exe File created C:\Windows\SysWOW64\Bmamle32.dll Oehgjfhi.exe File opened for modification C:\Windows\SysWOW64\Pnchhllf.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Jefbnacn.exe Jfcabd32.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cebeem32.exe File created C:\Windows\SysWOW64\Kijkje32.exe Kgkonj32.exe File opened for modification C:\Windows\SysWOW64\Njeccjcd.exe Nggggoda.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cjonncab.exe File created C:\Windows\SysWOW64\Ipjdameg.exe Iahceq32.exe File opened for modification C:\Windows\SysWOW64\Jfaeme32.exe Jbfilffm.exe File opened for modification C:\Windows\SysWOW64\Pmpbdm32.exe Pkaehb32.exe File created C:\Windows\SysWOW64\Fieacp32.dll Obeacl32.exe File created C:\Windows\SysWOW64\Aeoijidl.exe Aacmij32.exe File created C:\Windows\SysWOW64\Pknbhi32.dll Jjjdhc32.exe File created C:\Windows\SysWOW64\Kokmmkcm.exe Khadpa32.exe File created C:\Windows\SysWOW64\Kfimpm32.dll Khadpa32.exe File created C:\Windows\SysWOW64\Jhhcghdk.dll Dlifadkk.exe File created C:\Windows\SysWOW64\Mobafhlg.dll Jnofgg32.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fdkmeiei.exe File opened for modification C:\Windows\SysWOW64\Gdnfjl32.exe Gaojnq32.exe File created C:\Windows\SysWOW64\Cmhjdiap.exe Cjjnhnbl.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Icfpbl32.exe File opened for modification C:\Windows\SysWOW64\Jjkkbjln.exe Jijokbfp.exe File created C:\Windows\SysWOW64\Gfbaonni.dll Hadcipbi.exe File created C:\Windows\SysWOW64\Glehgdkn.dll Ikfbbjdj.exe File created C:\Windows\SysWOW64\Cfcqihha.dll Kpafapbk.exe File created C:\Windows\SysWOW64\Qkielpdf.exe Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Bacihmoo.exe Boemlbpk.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Nbpghl32.exe Npbklabl.exe File created C:\Windows\SysWOW64\Qobmnf32.dll Famaimfe.exe File created C:\Windows\SysWOW64\Koaclfgl.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Eibgpnjk.exe Eakooqih.exe File created C:\Windows\SysWOW64\Kalipcmb.exe Kmqmod32.exe File created C:\Windows\SysWOW64\Kkdnhi32.exe Kbmfgk32.exe File created C:\Windows\SysWOW64\Ooffgmde.dll Pbgjgomc.exe File created C:\Windows\SysWOW64\Ajehnk32.exe Agglbp32.exe File created C:\Windows\SysWOW64\Hjpqkajf.dll Dncibp32.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Npjlhcmd.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bjmeiq32.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Glbaei32.exe Gehiioaj.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hiioin32.exe File created C:\Windows\SysWOW64\Abmgjo32.exe Anbkipok.exe File created C:\Windows\SysWOW64\Aeojbkal.dll Debadpeg.exe File created C:\Windows\SysWOW64\Jhndmp32.dll Iladfn32.exe File created C:\Windows\SysWOW64\Pacajg32.exe Piliii32.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Ckeqga32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6928 6892 WerFault.exe 629 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmollme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnnhkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakooqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfepod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphofem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpaali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmjoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iieepbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadcipbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahceq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfieigio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlofgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdffoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopfhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgjldnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclnjd32.dll" Eakooqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakooqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnglnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfeflj32.dll" Ifgicg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqbijmn.dll" Nbpghl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpggei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngohbhce.dll" Ngbmlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiqcmnn.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaqogml.dll" Dmgmpnhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdecea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpafapbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqgddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnmacpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebpcpj.dll" Ppkjac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlbdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigbebhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Ejcmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkiehdc.dll" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdld32.dll" Fdnjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blinefnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agihgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlfik32.dll" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fameoj32.dll" Gagkjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meoaif32.dll" Onlahm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcdkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gconbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Gcgqgd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 784 wrote to memory of 2352 784 e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe 31 PID 784 wrote to memory of 2352 784 e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe 31 PID 784 wrote to memory of 2352 784 e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe 31 PID 784 wrote to memory of 2352 784 e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe 31 PID 2352 wrote to memory of 2144 2352 Mkndhabp.exe 32 PID 2352 wrote to memory of 2144 2352 Mkndhabp.exe 32 PID 2352 wrote to memory of 2144 2352 Mkndhabp.exe 32 PID 2352 wrote to memory of 2144 2352 Mkndhabp.exe 32 PID 2144 wrote to memory of 2648 2144 Mbhlek32.exe 33 PID 2144 wrote to memory of 2648 2144 Mbhlek32.exe 33 PID 2144 wrote to memory of 2648 2144 Mbhlek32.exe 33 PID 2144 wrote to memory of 2648 2144 Mbhlek32.exe 33 PID 2648 wrote to memory of 2788 2648 Mclebc32.exe 34 PID 2648 wrote to memory of 2788 2648 Mclebc32.exe 34 PID 2648 wrote to memory of 2788 2648 Mclebc32.exe 34 PID 2648 wrote to memory of 2788 2648 Mclebc32.exe 34 PID 2788 wrote to memory of 2660 2788 Mnaiol32.exe 35 PID 2788 wrote to memory of 2660 2788 Mnaiol32.exe 35 PID 2788 wrote to memory of 2660 2788 Mnaiol32.exe 35 PID 2788 wrote to memory of 2660 2788 Mnaiol32.exe 35 PID 2660 wrote to memory of 2680 2660 Mfmndn32.exe 36 PID 2660 wrote to memory of 2680 2660 Mfmndn32.exe 36 PID 2660 wrote to memory of 2680 2660 Mfmndn32.exe 36 PID 2660 wrote to memory of 2680 2660 Mfmndn32.exe 36 PID 2680 wrote to memory of 2576 2680 Mcqombic.exe 37 PID 2680 wrote to memory of 2576 2680 Mcqombic.exe 37 PID 2680 wrote to memory of 2576 2680 Mcqombic.exe 37 PID 2680 wrote to memory of 2576 2680 Mcqombic.exe 37 PID 2576 wrote to memory of 2100 2576 Mmicfh32.exe 38 PID 2576 wrote to memory of 2100 2576 Mmicfh32.exe 38 PID 2576 wrote to memory of 2100 2576 Mmicfh32.exe 38 PID 2576 wrote to memory of 2100 2576 Mmicfh32.exe 38 PID 2100 wrote to memory of 2852 2100 Mcckcbgp.exe 39 PID 2100 wrote to memory of 2852 2100 Mcckcbgp.exe 39 PID 2100 wrote to memory of 2852 2100 Mcckcbgp.exe 39 PID 2100 wrote to memory of 2852 2100 Mcckcbgp.exe 39 PID 2852 wrote to memory of 1944 2852 Npjlhcmd.exe 40 PID 2852 wrote to memory of 1944 2852 Npjlhcmd.exe 40 PID 2852 wrote to memory of 1944 2852 Npjlhcmd.exe 40 PID 2852 wrote to memory of 1944 2852 Npjlhcmd.exe 40 PID 1944 wrote to memory of 1184 1944 Nfdddm32.exe 41 PID 1944 wrote to memory of 1184 1944 Nfdddm32.exe 41 PID 1944 wrote to memory of 1184 1944 Nfdddm32.exe 41 PID 1944 wrote to memory of 1184 1944 Nfdddm32.exe 41 PID 1184 wrote to memory of 1448 1184 Nameek32.exe 42 PID 1184 wrote to memory of 1448 1184 Nameek32.exe 42 PID 1184 wrote to memory of 1448 1184 Nameek32.exe 42 PID 1184 wrote to memory of 1448 1184 Nameek32.exe 42 PID 1448 wrote to memory of 1460 1448 Njfjnpgp.exe 43 PID 1448 wrote to memory of 1460 1448 Njfjnpgp.exe 43 PID 1448 wrote to memory of 1460 1448 Njfjnpgp.exe 43 PID 1448 wrote to memory of 1460 1448 Njfjnpgp.exe 43 PID 1460 wrote to memory of 2920 1460 Neknki32.exe 44 PID 1460 wrote to memory of 2920 1460 Neknki32.exe 44 PID 1460 wrote to memory of 2920 1460 Neknki32.exe 44 PID 1460 wrote to memory of 2920 1460 Neknki32.exe 44 PID 2920 wrote to memory of 1816 2920 Njhfcp32.exe 45 PID 2920 wrote to memory of 1816 2920 Njhfcp32.exe 45 PID 2920 wrote to memory of 1816 2920 Njhfcp32.exe 45 PID 2920 wrote to memory of 1816 2920 Njhfcp32.exe 45 PID 1816 wrote to memory of 448 1816 Nabopjmj.exe 46 PID 1816 wrote to memory of 448 1816 Nabopjmj.exe 46 PID 1816 wrote to memory of 448 1816 Nabopjmj.exe 46 PID 1816 wrote to memory of 448 1816 Nabopjmj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe"C:\Users\Admin\AppData\Local\Temp\e0bba88d6351d1d67f53693357cd87c5e6c4e59985009aacf002c0869cdcc021.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe33⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe34⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe35⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe36⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe39⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe40⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe41⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe42⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe43⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe44⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe45⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe46⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe47⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe48⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe49⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe50⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe51⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe52⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe55⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe56⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe57⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe58⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe61⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe62⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe63⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe64⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe65⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe66⤵PID:3004
-
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe67⤵PID:3020
-
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe68⤵PID:2328
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe69⤵PID:2440
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe70⤵PID:3060
-
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe72⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe73⤵PID:2540
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe75⤵PID:1780
-
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe78⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe80⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe81⤵PID:2124
-
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe83⤵PID:1736
-
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe84⤵PID:552
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe86⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe87⤵PID:2812
-
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe88⤵PID:2552
-
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe90⤵PID:992
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe91⤵PID:1268
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe92⤵PID:1296
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe93⤵PID:3028
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe94⤵PID:2316
-
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe96⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe97⤵PID:2268
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe98⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe99⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe100⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe102⤵PID:1032
-
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe103⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe105⤵PID:1244
-
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe106⤵PID:1484
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe107⤵PID:1756
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe108⤵PID:928
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe109⤵PID:1784
-
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe111⤵PID:1820
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe112⤵PID:2632
-
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe113⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe114⤵PID:1096
-
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe115⤵PID:2612
-
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Dfmeccao.exeC:\Windows\system32\Dfmeccao.exe117⤵PID:924
-
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe120⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe121⤵PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-