Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe
-
Size
124KB
-
MD5
adaee7e877fb1cc466dc590a405bf58c
-
SHA1
c7f877bf36421ed5e38e2188cd0fe67880d244e5
-
SHA256
cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9
-
SHA512
b9fdcc7a30f56afddc37c41ed64c8089bc5aeaa04055b62e0e02c181cedc18edddf33cdaaac4432ee2ed2fffaccd64310706e7e9e26be0a2e3d75b868d6bf625
-
SSDEEP
1536:h03LJE66CYU/tQ+ECDTOSYnbvDrpnGXlRjXq+66DFUABABOVLefEjw6YmLsAjqLu:0LJEk9fOhnbvgRj6+JB8M6m9jqLsFmsr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqambacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnaekil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjjmbgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egimdmmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnppgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokofpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mginjnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbqqlfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elqcnfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgqpjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnomkloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pceqfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjham32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeiobgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llfcik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnjfffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhbpfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhlnahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Febjmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpbgbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbamc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagkmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfgalcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigohejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhbjjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhljpmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocdmccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhihpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdmljln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjhkpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkeeikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kogffida.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihooog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eekdmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqqdigko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njcibgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pooaaink.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcllfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Bfppgohb.exe 2352 Bmjhdi32.exe 2972 Baecehhh.exe 2824 Bfblmofp.exe 2872 Bpkqfdmp.exe 2704 Bfeibo32.exe 280 Claake32.exe 1796 Cfgehn32.exe 584 Chhbpfhi.exe 2956 Cppjadhk.exe 2964 Celbik32.exe 3032 Chkoef32.exe 2056 Codgbqmc.exe 1212 Caccnllf.exe 1844 Cligkdlm.exe 2212 Cogdhpkp.exe 2148 Cealdjcm.exe 692 Chohqebq.exe 1168 Cmlqimph.exe 1648 Cahmik32.exe 1516 Dkpabqoa.exe 2748 Dpmjjhmi.exe 2496 Ddhekfeb.exe 2632 Dggbgadf.exe 1148 Dalfdjdl.exe 2804 Ddkbqfcp.exe 2780 Dmcgik32.exe 2916 Dlfgehqk.exe 884 Ddmofeam.exe 1536 Dijgnm32.exe 2676 Dlhdjh32.exe 1192 Dcblgbfe.exe 1316 Dpflqfeo.exe 2204 Eoimlc32.exe 1924 Ehaaei32.exe 2932 Elmmegkb.exe 2524 Eokiabjf.exe 308 Edhbjjhn.exe 2052 Elpjkgip.exe 860 Eonfgbhc.exe 904 Ehfkphnd.exe 924 Ekdglcmh.exe 2428 Encchoml.exe 776 Egkgad32.exe 1888 Enepnoji.exe 1008 Epdljjjm.exe 2596 Ecbhfeip.exe 2812 Ekipgb32.exe 2376 Fnhlcn32.exe 2696 Fqfipj32.exe 2844 Fdaephpc.exe 1460 Ffcahq32.exe 2472 Fnjiin32.exe 2528 Fokfqflb.exe 2312 Fcgaae32.exe 2988 Fgbnbcmd.exe 3060 Fjajno32.exe 2308 Fonbff32.exe 900 Fcingdbh.exe 2120 Ffhkcpal.exe 2500 Fhfgokap.exe 736 Fkdckgpc.exe 492 Fopole32.exe 2136 Fbnkha32.exe -
Loads dropped DLL 64 IoCs
pid Process 964 cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe 964 cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe 1996 Bfppgohb.exe 1996 Bfppgohb.exe 2352 Bmjhdi32.exe 2352 Bmjhdi32.exe 2972 Baecehhh.exe 2972 Baecehhh.exe 2824 Bfblmofp.exe 2824 Bfblmofp.exe 2872 Bpkqfdmp.exe 2872 Bpkqfdmp.exe 2704 Bfeibo32.exe 2704 Bfeibo32.exe 280 Claake32.exe 280 Claake32.exe 1796 Cfgehn32.exe 1796 Cfgehn32.exe 584 Chhbpfhi.exe 584 Chhbpfhi.exe 2956 Cppjadhk.exe 2956 Cppjadhk.exe 2964 Celbik32.exe 2964 Celbik32.exe 3032 Chkoef32.exe 3032 Chkoef32.exe 2056 Codgbqmc.exe 2056 Codgbqmc.exe 1212 Caccnllf.exe 1212 Caccnllf.exe 1844 Cligkdlm.exe 1844 Cligkdlm.exe 2212 Cogdhpkp.exe 2212 Cogdhpkp.exe 2148 Cealdjcm.exe 2148 Cealdjcm.exe 692 Chohqebq.exe 692 Chohqebq.exe 1168 Cmlqimph.exe 1168 Cmlqimph.exe 1648 Cahmik32.exe 1648 Cahmik32.exe 1516 Dkpabqoa.exe 1516 Dkpabqoa.exe 2748 Dpmjjhmi.exe 2748 Dpmjjhmi.exe 2496 Ddhekfeb.exe 2496 Ddhekfeb.exe 2632 Dggbgadf.exe 2632 Dggbgadf.exe 1148 Dalfdjdl.exe 1148 Dalfdjdl.exe 2804 Ddkbqfcp.exe 2804 Ddkbqfcp.exe 2780 Dmcgik32.exe 2780 Dmcgik32.exe 2916 Dlfgehqk.exe 2916 Dlfgehqk.exe 884 Ddmofeam.exe 884 Ddmofeam.exe 1536 Dijgnm32.exe 1536 Dijgnm32.exe 2676 Dlhdjh32.exe 2676 Dlhdjh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Epdljjjm.exe Enepnoji.exe File created C:\Windows\SysWOW64\Gkkilfjk.exe Gimmpj32.exe File opened for modification C:\Windows\SysWOW64\Khhndi32.exe Kejahn32.exe File created C:\Windows\SysWOW64\Bfnkpedc.dll Damhmc32.exe File opened for modification C:\Windows\SysWOW64\Dhjdjc32.exe Dekhnh32.exe File created C:\Windows\SysWOW64\Dleeedlm.dll Mpaoojjb.exe File created C:\Windows\SysWOW64\Ibbjgneh.dll Pbnckg32.exe File created C:\Windows\SysWOW64\Gqkqbe32.exe Glpdbfek.exe File created C:\Windows\SysWOW64\Jcjlicgq.dll Imdjlida.exe File created C:\Windows\SysWOW64\Hoakai32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hehconob.exe Hamgno32.exe File created C:\Windows\SysWOW64\Enfbchek.dll Mgdmeh32.exe File created C:\Windows\SysWOW64\Omlahqeo.exe Ojnelefl.exe File created C:\Windows\SysWOW64\Lfimpl32.dll Fpihnbmk.exe File opened for modification C:\Windows\SysWOW64\Ddhekfeb.exe Dpmjjhmi.exe File opened for modification C:\Windows\SysWOW64\Acjfpokk.exe Aonjpp32.exe File opened for modification C:\Windows\SysWOW64\Ognoodja.dll Ajghgd32.exe File created C:\Windows\SysWOW64\Ahjldnpp.dll Jbjejojn.exe File created C:\Windows\SysWOW64\Bleppqce.dll Dmcgik32.exe File opened for modification C:\Windows\SysWOW64\Qlbnja32.exe Qhgbibgg.exe File opened for modification C:\Windows\SysWOW64\Ilceog32.exe Imqdcjkd.exe File created C:\Windows\SysWOW64\Khhndi32.exe Kejahn32.exe File created C:\Windows\SysWOW64\Ahllnc32.dll Mgaqohql.exe File created C:\Windows\SysWOW64\Jpaood32.dll Loofjg32.exe File created C:\Windows\SysWOW64\Chohqebq.exe Cealdjcm.exe File created C:\Windows\SysWOW64\Cfpgfhpe.dll Ifqfge32.exe File created C:\Windows\SysWOW64\Cdcgccok.dll Jblpge32.exe File opened for modification C:\Windows\SysWOW64\Gafcahil.exe Gnjhaj32.exe File created C:\Windows\SysWOW64\Lepapf32.dll Njlcah32.exe File created C:\Windows\SysWOW64\Cnogmk32.exe Ckajqo32.exe File created C:\Windows\SysWOW64\Faefoo32.dll Kaillp32.exe File opened for modification C:\Windows\SysWOW64\Kobmkj32.exe Kppmpmal.exe File opened for modification C:\Windows\SysWOW64\Fgqcel32.exe Fdbgia32.exe File created C:\Windows\SysWOW64\Appcjgmk.dll Hbcabc32.exe File opened for modification C:\Windows\SysWOW64\Jdhlih32.exe Iaipmm32.exe File created C:\Windows\SysWOW64\Kanfgofa.exe Knbjgq32.exe File opened for modification C:\Windows\SysWOW64\Ipijpkei.exe Imkndofe.exe File opened for modification C:\Windows\SysWOW64\Kgjelg32.exe Kobmkj32.exe File opened for modification C:\Windows\SysWOW64\Pojdem32.exe Ppgdjqna.exe File created C:\Windows\SysWOW64\Fmdpejgf.exe Fdmgdl32.exe File opened for modification C:\Windows\SysWOW64\Ohkpdj32.exe Ododdlcd.exe File opened for modification C:\Windows\SysWOW64\Bjnjfffm.exe Bgpnjkgi.exe File opened for modification C:\Windows\SysWOW64\Egkgad32.exe Encchoml.exe File created C:\Windows\SysWOW64\Igllbl32.dll Ecodfogg.exe File created C:\Windows\SysWOW64\Kekkkm32.exe Process not Found File created C:\Windows\SysWOW64\Agcekn32.exe Adeiobgc.exe File created C:\Windows\SysWOW64\Cbcikn32.exe Ccaipaho.exe File created C:\Windows\SysWOW64\Kfimea32.dll Cpgieb32.exe File created C:\Windows\SysWOW64\Iigehk32.exe Ieligmho.exe File created C:\Windows\SysWOW64\Fkmogi32.dll Pelpgb32.exe File created C:\Windows\SysWOW64\Ccileljk.exe Ckbccnji.exe File created C:\Windows\SysWOW64\Biiqmd32.dll Hkiknb32.exe File created C:\Windows\SysWOW64\Ccaipaho.exe Cabldeik.exe File opened for modification C:\Windows\SysWOW64\Eipjmk32.exe Eganqo32.exe File created C:\Windows\SysWOW64\Icponb32.exe Ipecndab.exe File opened for modification C:\Windows\SysWOW64\Fokfqflb.exe Fnjiin32.exe File created C:\Windows\SysWOW64\Qokdamgl.dll Fkdckgpc.exe File created C:\Windows\SysWOW64\Aepkphoe.dll Dbhbfmkd.exe File opened for modification C:\Windows\SysWOW64\Bbjoki32.exe Bokcom32.exe File created C:\Windows\SysWOW64\Dcfknooi.exe Dedkbb32.exe File created C:\Windows\SysWOW64\Hqpahkmj.exe Gnbelong.exe File created C:\Windows\SysWOW64\Daqibb32.dll Eokiabjf.exe File created C:\Windows\SysWOW64\Dajabd32.dll Ehfkphnd.exe File created C:\Windows\SysWOW64\Boeppomj.exe Bmgddcnf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10964 10944 Process not Found 1165 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkbhae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgedepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkpomkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhdfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhjijpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbhpegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plheil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgqoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfjpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emceag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjanfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkkpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjjcogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlepjbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faikbkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankabh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigohejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmofeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmmegkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkeofnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmmanif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodoefed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdglcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbqdldhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiclnpjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghjqlmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhbfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdpaqej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Claake32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdpejgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjmenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdcejph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhbpfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdooij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdeaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipecndab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiihgoh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkfglom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acloba32.dll" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgnemhfd.dll" Obonfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnhkclm.dll" Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlopjbp.dll" Mnaiah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqimoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajngking.dll" Ndehjnpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfchcp.dll" Epqhjdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klbdiokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbjgneh.dll" Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcnol32.dll" Edmnnakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beplcfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oppbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpdlk32.dll" Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkddaih.dll" Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpmjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgglia32.dll" Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpallpil.dll" Claake32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keehmobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkblpcle.dll" Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjdmfaj.dll" Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnjhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibeloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eekdmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobjghoh.dll" Kanfgofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocalffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcjmikpa.dll" Jgbolhoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andkbien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqfipj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmifiahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblaal32.dll" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfomk32.dll" Bphmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmaimj32.dll" Bmjhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epochndp.dll" Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajbdm32.dll" Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedkbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pknakhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldnbeokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehbcnajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmplgki.dll" Hojqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoomga.dll" Kobmkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmdfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kppmpmal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgedepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoodlbd.dll" Cmocha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjnmj32.dll" Opbopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihlbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpoboge.dll" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnaekil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 1996 964 cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe 30 PID 964 wrote to memory of 1996 964 cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe 30 PID 964 wrote to memory of 1996 964 cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe 30 PID 964 wrote to memory of 1996 964 cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe 30 PID 1996 wrote to memory of 2352 1996 Bfppgohb.exe 31 PID 1996 wrote to memory of 2352 1996 Bfppgohb.exe 31 PID 1996 wrote to memory of 2352 1996 Bfppgohb.exe 31 PID 1996 wrote to memory of 2352 1996 Bfppgohb.exe 31 PID 2352 wrote to memory of 2972 2352 Bmjhdi32.exe 32 PID 2352 wrote to memory of 2972 2352 Bmjhdi32.exe 32 PID 2352 wrote to memory of 2972 2352 Bmjhdi32.exe 32 PID 2352 wrote to memory of 2972 2352 Bmjhdi32.exe 32 PID 2972 wrote to memory of 2824 2972 Baecehhh.exe 33 PID 2972 wrote to memory of 2824 2972 Baecehhh.exe 33 PID 2972 wrote to memory of 2824 2972 Baecehhh.exe 33 PID 2972 wrote to memory of 2824 2972 Baecehhh.exe 33 PID 2824 wrote to memory of 2872 2824 Bfblmofp.exe 34 PID 2824 wrote to memory of 2872 2824 Bfblmofp.exe 34 PID 2824 wrote to memory of 2872 2824 Bfblmofp.exe 34 PID 2824 wrote to memory of 2872 2824 Bfblmofp.exe 34 PID 2872 wrote to memory of 2704 2872 Bpkqfdmp.exe 35 PID 2872 wrote to memory of 2704 2872 Bpkqfdmp.exe 35 PID 2872 wrote to memory of 2704 2872 Bpkqfdmp.exe 35 PID 2872 wrote to memory of 2704 2872 Bpkqfdmp.exe 35 PID 2704 wrote to memory of 280 2704 Bfeibo32.exe 36 PID 2704 wrote to memory of 280 2704 Bfeibo32.exe 36 PID 2704 wrote to memory of 280 2704 Bfeibo32.exe 36 PID 2704 wrote to memory of 280 2704 Bfeibo32.exe 36 PID 280 wrote to memory of 1796 280 Claake32.exe 37 PID 280 wrote to memory of 1796 280 Claake32.exe 37 PID 280 wrote to memory of 1796 280 Claake32.exe 37 PID 280 wrote to memory of 1796 280 Claake32.exe 37 PID 1796 wrote to memory of 584 1796 Cfgehn32.exe 38 PID 1796 wrote to memory of 584 1796 Cfgehn32.exe 38 PID 1796 wrote to memory of 584 1796 Cfgehn32.exe 38 PID 1796 wrote to memory of 584 1796 Cfgehn32.exe 38 PID 584 wrote to memory of 2956 584 Chhbpfhi.exe 39 PID 584 wrote to memory of 2956 584 Chhbpfhi.exe 39 PID 584 wrote to memory of 2956 584 Chhbpfhi.exe 39 PID 584 wrote to memory of 2956 584 Chhbpfhi.exe 39 PID 2956 wrote to memory of 2964 2956 Cppjadhk.exe 40 PID 2956 wrote to memory of 2964 2956 Cppjadhk.exe 40 PID 2956 wrote to memory of 2964 2956 Cppjadhk.exe 40 PID 2956 wrote to memory of 2964 2956 Cppjadhk.exe 40 PID 2964 wrote to memory of 3032 2964 Celbik32.exe 41 PID 2964 wrote to memory of 3032 2964 Celbik32.exe 41 PID 2964 wrote to memory of 3032 2964 Celbik32.exe 41 PID 2964 wrote to memory of 3032 2964 Celbik32.exe 41 PID 3032 wrote to memory of 2056 3032 Chkoef32.exe 42 PID 3032 wrote to memory of 2056 3032 Chkoef32.exe 42 PID 3032 wrote to memory of 2056 3032 Chkoef32.exe 42 PID 3032 wrote to memory of 2056 3032 Chkoef32.exe 42 PID 2056 wrote to memory of 1212 2056 Codgbqmc.exe 43 PID 2056 wrote to memory of 1212 2056 Codgbqmc.exe 43 PID 2056 wrote to memory of 1212 2056 Codgbqmc.exe 43 PID 2056 wrote to memory of 1212 2056 Codgbqmc.exe 43 PID 1212 wrote to memory of 1844 1212 Caccnllf.exe 44 PID 1212 wrote to memory of 1844 1212 Caccnllf.exe 44 PID 1212 wrote to memory of 1844 1212 Caccnllf.exe 44 PID 1212 wrote to memory of 1844 1212 Caccnllf.exe 44 PID 1844 wrote to memory of 2212 1844 Cligkdlm.exe 45 PID 1844 wrote to memory of 2212 1844 Cligkdlm.exe 45 PID 1844 wrote to memory of 2212 1844 Cligkdlm.exe 45 PID 1844 wrote to memory of 2212 1844 Cligkdlm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe"C:\Users\Admin\AppData\Local\Temp\cea06f469773f38a5283417e3ca5ac7b171bc07b63e77e276fdb108cd504bed9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Cfgehn32.exeC:\Windows\system32\Cfgehn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Chkoef32.exeC:\Windows\system32\Chkoef32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Codgbqmc.exeC:\Windows\system32\Codgbqmc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe33⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe34⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe35⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe36⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Elmmegkb.exeC:\Windows\system32\Elmmegkb.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Edhbjjhn.exeC:\Windows\system32\Edhbjjhn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe41⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe45⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe47⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe48⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ekipgb32.exeC:\Windows\system32\Ekipgb32.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe50⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe52⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe53⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Fnjiin32.exeC:\Windows\system32\Fnjiin32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe55⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe56⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe57⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe58⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe59⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Fcingdbh.exeC:\Windows\system32\Fcingdbh.exe60⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe61⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe62⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe64⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe65⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe66⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe67⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Fkgpaf32.exeC:\Windows\system32\Fkgpaf32.exe68⤵PID:1568
-
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe69⤵PID:2896
-
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe70⤵PID:2828
-
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe72⤵PID:1156
-
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe73⤵PID:1712
-
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe74⤵PID:2948
-
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe75⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Gkkilfjk.exeC:\Windows\system32\Gkkilfjk.exe76⤵PID:2640
-
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe77⤵PID:2188
-
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe78⤵PID:996
-
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe79⤵PID:1920
-
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe80⤵PID:2072
-
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe81⤵PID:1468
-
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe82⤵PID:2772
-
C:\Windows\SysWOW64\Gmobin32.exeC:\Windows\system32\Gmobin32.exe83⤵PID:2976
-
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe84⤵PID:2680
-
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe85⤵PID:944
-
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe86⤵PID:2520
-
C:\Windows\SysWOW64\Gmaoomld.exeC:\Windows\system32\Gmaoomld.exe87⤵PID:2044
-
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe88⤵PID:2636
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe89⤵PID:2556
-
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe90⤵PID:2380
-
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe91⤵PID:268
-
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe92⤵PID:1848
-
C:\Windows\SysWOW64\Hpbhphie.exeC:\Windows\system32\Hpbhphie.exe93⤵PID:1864
-
C:\Windows\SysWOW64\Hbqdldhi.exeC:\Windows\system32\Hbqdldhi.exe94⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Hijmin32.exeC:\Windows\system32\Hijmin32.exe96⤵PID:2868
-
C:\Windows\SysWOW64\Hmfhjmho.exeC:\Windows\system32\Hmfhjmho.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe98⤵PID:2068
-
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe99⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe100⤵PID:2332
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe101⤵PID:1992
-
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe102⤵PID:1980
-
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe103⤵PID:2360
-
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe104⤵PID:2328
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe105⤵PID:2244
-
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe106⤵PID:968
-
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe107⤵PID:2236
-
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe108⤵PID:1112
-
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe109⤵PID:2876
-
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe110⤵PID:2736
-
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe111⤵PID:1708
-
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe112⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe113⤵PID:2996
-
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe114⤵PID:1552
-
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe115⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe117⤵PID:2152
-
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe118⤵PID:3068
-
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe119⤵PID:2716
-
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe120⤵PID:1272
-
C:\Windows\SysWOW64\Ihilqi32.exeC:\Windows\system32\Ihilqi32.exe121⤵PID:1640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-