Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 10:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1eb51b14471a433903e02ce959ef4e60N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1eb51b14471a433903e02ce959ef4e60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1eb51b14471a433903e02ce959ef4e60N.exe
-
Size
80KB
-
MD5
1eb51b14471a433903e02ce959ef4e60
-
SHA1
ab9c67ca3c27cf23a64a303fceb7713ffe8d02b3
-
SHA256
6aef564cb2a4ab372cdd2810b9e8ac660a4528dc9dbba18637fe12320ffa453b
-
SHA512
94b2c62d991b4178da2a41754c56a319cf2dfae4947837e150ba6c713b5ccfe0cae3e960f96c9071b68802b9ed938fa3f7b628dd9f0b8e82a6f3489f963bb52f
-
SSDEEP
1536:Kcn7TIcXFluuXZdr1qjW2LtEwfi+TjRC/6y:57luYZdc7ewf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cconcjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbjgjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppqqbjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankckagj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fillabde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfpmonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjjifji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apllml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlnmjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdemap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdophn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakcan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmacgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obffpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achlch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkoojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbblpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohlnkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmcbojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnbbjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfaopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boainhic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofhdidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mookod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhhie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbjgjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcaiggo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljhmmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaiijgbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegbpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbgdh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Mkconepp.exe 2224 Mookod32.exe 2880 Nndhpqma.exe 524 Niilmi32.exe 2944 Nkhhie32.exe 2612 Ndpmbjbk.exe 2804 Ngoinfao.exe 852 Nmkbfmpf.exe 1204 Ndbjgjqh.exe 548 Njobpa32.exe 296 Nqijmkfm.exe 2932 Ncggifep.exe 2448 Nidoamch.exe 820 Ncjcnfcn.exe 2412 Oiglfm32.exe 1108 Opqdcgib.exe 2336 Ofklpa32.exe 2264 Omddmkhl.exe 2504 Opcaiggo.exe 2436 Onfadc32.exe 1792 Oikeal32.exe 760 Opennf32.exe 1676 Obdjjb32.exe 1448 Ojoood32.exe 1272 Obffpa32.exe 2444 Odgchjhl.exe 2884 Ojakdd32.exe 2748 Oakcan32.exe 2904 Pegpamoo.exe 2640 Phelnhnb.exe 2316 Ppqqbjkm.exe 2360 Ppcmhj32.exe 1576 Pbaide32.exe 2496 Pikaqppk.exe 1536 Pfobjdoe.exe 2676 Pojgnf32.exe 2456 Pfaopc32.exe 2132 Qomcdf32.exe 708 Qeglqpaj.exe 2484 Qlqdmj32.exe 2416 Qamleagn.exe 1560 Ahgdbk32.exe 2172 Amdmkb32.exe 1992 Aapikqel.exe 1860 Adnegldo.exe 2196 Agmacgcc.exe 1036 Aodjdede.exe 1420 Anfjpa32.exe 1064 Ahlnmjkf.exe 656 Akjjifji.exe 2272 Aniffaim.exe 2772 Apgcbmha.exe 2672 Acfonhgd.exe 2688 Akmgoehg.exe 2472 Ankckagj.exe 2188 Apjpglfn.exe 2792 Achlch32.exe 3056 Aefhpc32.exe 1808 Annpaq32.exe 2600 Apllml32.exe 2252 Bgfdjfkh.exe 1636 Bjdqfajl.exe 1472 Blcmbmip.exe 2004 Boainhic.exe -
Loads dropped DLL 64 IoCs
pid Process 3048 1eb51b14471a433903e02ce959ef4e60N.exe 3048 1eb51b14471a433903e02ce959ef4e60N.exe 2332 Mkconepp.exe 2332 Mkconepp.exe 2224 Mookod32.exe 2224 Mookod32.exe 2880 Nndhpqma.exe 2880 Nndhpqma.exe 524 Niilmi32.exe 524 Niilmi32.exe 2944 Nkhhie32.exe 2944 Nkhhie32.exe 2612 Ndpmbjbk.exe 2612 Ndpmbjbk.exe 2804 Ngoinfao.exe 2804 Ngoinfao.exe 852 Nmkbfmpf.exe 852 Nmkbfmpf.exe 1204 Ndbjgjqh.exe 1204 Ndbjgjqh.exe 548 Njobpa32.exe 548 Njobpa32.exe 296 Nqijmkfm.exe 296 Nqijmkfm.exe 2932 Ncggifep.exe 2932 Ncggifep.exe 2448 Nidoamch.exe 2448 Nidoamch.exe 820 Ncjcnfcn.exe 820 Ncjcnfcn.exe 2412 Oiglfm32.exe 2412 Oiglfm32.exe 1108 Opqdcgib.exe 1108 Opqdcgib.exe 2336 Ofklpa32.exe 2336 Ofklpa32.exe 2264 Omddmkhl.exe 2264 Omddmkhl.exe 2504 Opcaiggo.exe 2504 Opcaiggo.exe 2436 Onfadc32.exe 2436 Onfadc32.exe 1792 Oikeal32.exe 1792 Oikeal32.exe 760 Opennf32.exe 760 Opennf32.exe 1676 Obdjjb32.exe 1676 Obdjjb32.exe 1448 Ojoood32.exe 1448 Ojoood32.exe 1272 Obffpa32.exe 1272 Obffpa32.exe 2444 Odgchjhl.exe 2444 Odgchjhl.exe 2884 Ojakdd32.exe 2884 Ojakdd32.exe 2748 Oakcan32.exe 2748 Oakcan32.exe 2904 Pegpamoo.exe 2904 Pegpamoo.exe 2640 Phelnhnb.exe 2640 Phelnhnb.exe 2316 Ppqqbjkm.exe 2316 Ppqqbjkm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cohlnkeg.exe Cmjoaofc.exe File opened for modification C:\Windows\SysWOW64\Opqdcgib.exe Oiglfm32.exe File created C:\Windows\SysWOW64\Gobhkhgi.dll Ofklpa32.exe File opened for modification C:\Windows\SysWOW64\Akjjifji.exe Ahlnmjkf.exe File created C:\Windows\SysWOW64\Mbflok32.dll Boainhic.exe File opened for modification C:\Windows\SysWOW64\Gohqhl32.exe Gpfpmonn.exe File created C:\Windows\SysWOW64\Hqemlbqi.exe Hbblpf32.exe File opened for modification C:\Windows\SysWOW64\Nmkbfmpf.exe Ngoinfao.exe File created C:\Windows\SysWOW64\Njobpa32.exe Ndbjgjqh.exe File opened for modification C:\Windows\SysWOW64\Dnfkefad.exe Dfpcdh32.exe File created C:\Windows\SysWOW64\Ggkoojip.exe Gdmcbojl.exe File created C:\Windows\SysWOW64\Eghifl32.dll Pikaqppk.exe File created C:\Windows\SysWOW64\Apjpglfn.exe Ankckagj.exe File created C:\Windows\SysWOW64\Oacqge32.dll Bdehgnqc.exe File created C:\Windows\SysWOW64\Hibgakob.dll Fdhigo32.exe File opened for modification C:\Windows\SysWOW64\Aapikqel.exe Amdmkb32.exe File created C:\Windows\SysWOW64\Opfjnm32.dll Cohlnkeg.exe File opened for modification C:\Windows\SysWOW64\Eponmmaj.exe Emqaaabg.exe File opened for modification C:\Windows\SysWOW64\Giikkehc.exe Ggkoojip.exe File created C:\Windows\SysWOW64\Ccbpjqqq.dll Gokmnlcf.exe File opened for modification C:\Windows\SysWOW64\Hnljkf32.exe Hfdbji32.exe File opened for modification C:\Windows\SysWOW64\Ndpmbjbk.exe Nkhhie32.exe File opened for modification C:\Windows\SysWOW64\Nidoamch.exe Ncggifep.exe File created C:\Windows\SysWOW64\Kcghhg32.dll Pbaide32.exe File created C:\Windows\SysWOW64\Nffpfe32.dll Pfobjdoe.exe File opened for modification C:\Windows\SysWOW64\Hnbgdh32.exe Hkdkhl32.exe File created C:\Windows\SysWOW64\Kgggld32.dll Oiglfm32.exe File opened for modification C:\Windows\SysWOW64\Qomcdf32.exe Pfaopc32.exe File created C:\Windows\SysWOW64\Bkjfhile.exe Bfnnpbnn.exe File opened for modification C:\Windows\SysWOW64\Cmjoaofc.exe Cjkcedgp.exe File created C:\Windows\SysWOW64\Lfamkl32.dll Faimkd32.exe File created C:\Windows\SysWOW64\Hkfgnldd.exe Hhhkbqea.exe File created C:\Windows\SysWOW64\Kbajcaio.dll Hqcpfcbl.exe File opened for modification C:\Windows\SysWOW64\Hbblpf32.exe Hngppgae.exe File opened for modification C:\Windows\SysWOW64\Hqjfgb32.exe Hnljkf32.exe File created C:\Windows\SysWOW64\Qlqdmj32.exe Qeglqpaj.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qamleagn.exe File created C:\Windows\SysWOW64\Bcobdgoj.exe Blejgm32.exe File created C:\Windows\SysWOW64\Bhngbm32.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Cconcjae.exe Cqqbgoba.exe File created C:\Windows\SysWOW64\Cmgblphf.exe Cjifpdib.exe File created C:\Windows\SysWOW64\Akfalc32.dll Cccgni32.exe File created C:\Windows\SysWOW64\Eodknifb.exe Ehjbaooe.exe File opened for modification C:\Windows\SysWOW64\Eabgjeef.exe Eodknifb.exe File opened for modification C:\Windows\SysWOW64\Gokmnlcf.exe Gllabp32.exe File opened for modification C:\Windows\SysWOW64\Dfbdje32.exe Cccgni32.exe File created C:\Windows\SysWOW64\Dieiap32.exe Dbkaee32.exe File created C:\Windows\SysWOW64\Qfchcq32.dll Epmahmcm.exe File created C:\Windows\SysWOW64\Nbbjbd32.dll Fofhdidp.exe File created C:\Windows\SysWOW64\Gllabp32.exe Ginefe32.exe File opened for modification C:\Windows\SysWOW64\Hnecjgch.exe Hkfgnldd.exe File created C:\Windows\SysWOW64\Ecbjdbcp.dll Hnimeg32.exe File created C:\Windows\SysWOW64\Fkficd32.dll Hnljkf32.exe File created C:\Windows\SysWOW64\Ldcenn32.dll 1eb51b14471a433903e02ce959ef4e60N.exe File opened for modification C:\Windows\SysWOW64\Emlhfb32.exe Ejmljg32.exe File created C:\Windows\SysWOW64\Epnfkjll.dll Ggkoojip.exe File created C:\Windows\SysWOW64\Kghonhno.dll Hnecjgch.exe File created C:\Windows\SysWOW64\Jmmnpc32.dll Edhmhl32.exe File created C:\Windows\SysWOW64\Ppqqbjkm.exe Phelnhnb.exe File created C:\Windows\SysWOW64\Apllml32.exe Annpaq32.exe File opened for modification C:\Windows\SysWOW64\Cjfjjd32.exe Cfknjfbl.exe File opened for modification C:\Windows\SysWOW64\Cjifpdib.exe Cfmjoe32.exe File opened for modification C:\Windows\SysWOW64\Gkancm32.exe Ghcbga32.exe File created C:\Windows\SysWOW64\Qmhfaj32.dll Cgfqii32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3912 3888 WerFault.exe 223 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmbjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapikqel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fomndhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdbji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmcmaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niilmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikaqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfiofefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjfmolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqjfgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgooikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpakdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnmjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkconepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blejgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcobdgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohlnkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgokcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgcbmha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodknifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geplpfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofklpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofhdidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaiijgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkidclbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homfboco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mookod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njobpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmcbojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojoood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fillabde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febmfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjhgpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnnpbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbjgjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaebeiqd.dll" Aapikqel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpmmd32.dll" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdcebagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcnhqfk.dll" Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgggld32.dll" Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjklkdh.dll" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfjjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofhgafa.dll" Gohqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgooikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chidkl32.dll" Bhjngnod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emoghm32.dll" Hqemlbqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajclkk32.dll" Cmgblphf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmjihqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkbjlk32.dll" Gdmcbojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjcnfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfnln32.dll" Cjfjjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdejeo32.dll" Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmhjhpn.dll" Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obffpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdaeh32.dll" Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdkhjjg.dll" Cbdkdffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjoaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdophn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdophn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1eb51b14471a433903e02ce959ef4e60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1eb51b14471a433903e02ce959ef4e60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 1eb51b14471a433903e02ce959ef4e60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll" Ngoinfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlnmjkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmnclpk.dll" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhac32.dll" Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addlbf32.dll" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boobcigh.dll" Ginefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojakdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boainhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdigbbj.dll" Fhlogo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opennf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foookanl.dll" Bapejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1eb51b14471a433903e02ce959ef4e60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aniffaim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfonhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnljkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcfmolmc.dll" Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opennf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdmpg32.dll" Cqlhlo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2332 3048 1eb51b14471a433903e02ce959ef4e60N.exe 29 PID 3048 wrote to memory of 2332 3048 1eb51b14471a433903e02ce959ef4e60N.exe 29 PID 3048 wrote to memory of 2332 3048 1eb51b14471a433903e02ce959ef4e60N.exe 29 PID 3048 wrote to memory of 2332 3048 1eb51b14471a433903e02ce959ef4e60N.exe 29 PID 2332 wrote to memory of 2224 2332 Mkconepp.exe 30 PID 2332 wrote to memory of 2224 2332 Mkconepp.exe 30 PID 2332 wrote to memory of 2224 2332 Mkconepp.exe 30 PID 2332 wrote to memory of 2224 2332 Mkconepp.exe 30 PID 2224 wrote to memory of 2880 2224 Mookod32.exe 31 PID 2224 wrote to memory of 2880 2224 Mookod32.exe 31 PID 2224 wrote to memory of 2880 2224 Mookod32.exe 31 PID 2224 wrote to memory of 2880 2224 Mookod32.exe 31 PID 2880 wrote to memory of 524 2880 Nndhpqma.exe 32 PID 2880 wrote to memory of 524 2880 Nndhpqma.exe 32 PID 2880 wrote to memory of 524 2880 Nndhpqma.exe 32 PID 2880 wrote to memory of 524 2880 Nndhpqma.exe 32 PID 524 wrote to memory of 2944 524 Niilmi32.exe 33 PID 524 wrote to memory of 2944 524 Niilmi32.exe 33 PID 524 wrote to memory of 2944 524 Niilmi32.exe 33 PID 524 wrote to memory of 2944 524 Niilmi32.exe 33 PID 2944 wrote to memory of 2612 2944 Nkhhie32.exe 34 PID 2944 wrote to memory of 2612 2944 Nkhhie32.exe 34 PID 2944 wrote to memory of 2612 2944 Nkhhie32.exe 34 PID 2944 wrote to memory of 2612 2944 Nkhhie32.exe 34 PID 2612 wrote to memory of 2804 2612 Ndpmbjbk.exe 35 PID 2612 wrote to memory of 2804 2612 Ndpmbjbk.exe 35 PID 2612 wrote to memory of 2804 2612 Ndpmbjbk.exe 35 PID 2612 wrote to memory of 2804 2612 Ndpmbjbk.exe 35 PID 2804 wrote to memory of 852 2804 Ngoinfao.exe 36 PID 2804 wrote to memory of 852 2804 Ngoinfao.exe 36 PID 2804 wrote to memory of 852 2804 Ngoinfao.exe 36 PID 2804 wrote to memory of 852 2804 Ngoinfao.exe 36 PID 852 wrote to memory of 1204 852 Nmkbfmpf.exe 37 PID 852 wrote to memory of 1204 852 Nmkbfmpf.exe 37 PID 852 wrote to memory of 1204 852 Nmkbfmpf.exe 37 PID 852 wrote to memory of 1204 852 Nmkbfmpf.exe 37 PID 1204 wrote to memory of 548 1204 Ndbjgjqh.exe 38 PID 1204 wrote to memory of 548 1204 Ndbjgjqh.exe 38 PID 1204 wrote to memory of 548 1204 Ndbjgjqh.exe 38 PID 1204 wrote to memory of 548 1204 Ndbjgjqh.exe 38 PID 548 wrote to memory of 296 548 Njobpa32.exe 39 PID 548 wrote to memory of 296 548 Njobpa32.exe 39 PID 548 wrote to memory of 296 548 Njobpa32.exe 39 PID 548 wrote to memory of 296 548 Njobpa32.exe 39 PID 296 wrote to memory of 2932 296 Nqijmkfm.exe 40 PID 296 wrote to memory of 2932 296 Nqijmkfm.exe 40 PID 296 wrote to memory of 2932 296 Nqijmkfm.exe 40 PID 296 wrote to memory of 2932 296 Nqijmkfm.exe 40 PID 2932 wrote to memory of 2448 2932 Ncggifep.exe 41 PID 2932 wrote to memory of 2448 2932 Ncggifep.exe 41 PID 2932 wrote to memory of 2448 2932 Ncggifep.exe 41 PID 2932 wrote to memory of 2448 2932 Ncggifep.exe 41 PID 2448 wrote to memory of 820 2448 Nidoamch.exe 42 PID 2448 wrote to memory of 820 2448 Nidoamch.exe 42 PID 2448 wrote to memory of 820 2448 Nidoamch.exe 42 PID 2448 wrote to memory of 820 2448 Nidoamch.exe 42 PID 820 wrote to memory of 2412 820 Ncjcnfcn.exe 43 PID 820 wrote to memory of 2412 820 Ncjcnfcn.exe 43 PID 820 wrote to memory of 2412 820 Ncjcnfcn.exe 43 PID 820 wrote to memory of 2412 820 Ncjcnfcn.exe 43 PID 2412 wrote to memory of 1108 2412 Oiglfm32.exe 44 PID 2412 wrote to memory of 1108 2412 Oiglfm32.exe 44 PID 2412 wrote to memory of 1108 2412 Oiglfm32.exe 44 PID 2412 wrote to memory of 1108 2412 Oiglfm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eb51b14471a433903e02ce959ef4e60N.exe"C:\Users\Admin\AppData\Local\Temp\1eb51b14471a433903e02ce959ef4e60N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Niilmi32.exeC:\Windows\system32\Niilmi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Nkhhie32.exeC:\Windows\system32\Nkhhie32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe39⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe41⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe43⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Adnegldo.exeC:\Windows\system32\Adnegldo.exe46⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe48⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe49⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe63⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe66⤵PID:2460
-
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe68⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe70⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe72⤵PID:2164
-
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe74⤵PID:1748
-
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe75⤵PID:2844
-
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe76⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe80⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe81⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe82⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe83⤵PID:1928
-
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe87⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe88⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe91⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe92⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe93⤵PID:2176
-
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe101⤵PID:2832
-
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe102⤵PID:272
-
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe103⤵PID:2796
-
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe104⤵PID:2356
-
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe106⤵PID:1224
-
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe109⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe110⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe112⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe113⤵PID:2836
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe114⤵PID:924
-
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe115⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe116⤵PID:2424
-
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe117⤵PID:996
-
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe118⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe119⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe120⤵PID:2784
-
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-