Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e18b82a2cdd5ce7ba804caf8796211b0N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
e18b82a2cdd5ce7ba804caf8796211b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e18b82a2cdd5ce7ba804caf8796211b0N.exe
-
Size
313KB
-
MD5
e18b82a2cdd5ce7ba804caf8796211b0
-
SHA1
3e0016fb1ee3c89aa32bf376a26f301a04bff286
-
SHA256
42c4d13e80669e64c7ec7c538946a89720f30c5982ae96c60506d19b619d5213
-
SHA512
dd183f4b99c0923196605f301b44e7c2e5e6ceb2aee66173055b7d6ac75093b0fbfd447d287606efd51493499dc4935815f93045dec5a3cb72fb6d6bcfaf3872
-
SSDEEP
6144:+Y08lLSCPgZUmKyIxLDXXoq9FJZCUmKyIxLX:+d8ECM32XXf9Do3+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdngip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhcpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liibgkoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mheeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fefcmehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdamao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmepanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnngi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkkeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lchqcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocfiif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahhchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgpfpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bceeqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqjibkek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkgog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdppm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebpakbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdaabk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piohgbng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hadfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alaccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmcgmkil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqhapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baqhapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfggkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgfiocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhnqfla.exe -
Executes dropped EXE 64 IoCs
pid Process 2352 Imogcj32.exe 2660 Jnbpqb32.exe 2732 Jkfpjf32.exe 1524 Jkimpfmg.exe 1240 Jgpndg32.exe 1308 Jecnnk32.exe 1148 Jajocl32.exe 2948 Kfggkc32.exe 1860 Kjepaa32.exe 1656 Kpbhjh32.exe 1392 Kpdeoh32.exe 2276 Keango32.exe 2052 Kjpceebh.exe 2380 Lkbpke32.exe 1944 Lfippfej.exe 836 Ldmaijdc.exe 1668 Laaabo32.exe 1552 Lbbnjgik.exe 2488 Llkbcl32.exe 2516 Lgpfpe32.exe 2324 Mlmoilni.exe 1684 Mgbcfdmo.exe 1056 Mlolnllf.exe 2440 Monhjgkj.exe 2696 Mkdioh32.exe 1776 Mclqqeaq.exe 2824 Mldeik32.exe 2588 Maanab32.exe 2552 Mdojnm32.exe 3004 Mnhnfckm.exe 2200 Naegmabc.exe 1060 Nddcimag.exe 2100 Npkdnnfk.exe 2092 Ncipjieo.exe 2072 Nnodgbed.exe 2840 Nfjildbp.exe 1116 Nqpmimbe.exe 1824 Nbqjqehd.exe 2376 Njhbabif.exe 2216 Obcffefa.exe 2036 Omhkcnfg.exe 888 Onjgkf32.exe 2956 Ogbldk32.exe 1352 Ooidei32.exe 1784 Odflmp32.exe 2984 Ogdhik32.exe 1500 Objmgd32.exe 1164 Oehicoom.exe 2316 Okbapi32.exe 2704 Onamle32.exe 2724 Oqojhp32.exe 2608 Pgibdjln.exe 956 Pjhnqfla.exe 1540 Paafmp32.exe 1980 Pglojj32.exe 2788 Pimkbbpi.exe 2268 Padccpal.exe 1092 Pbepkh32.exe 1916 Piohgbng.exe 2244 Ppipdl32.exe 996 Pbglpg32.exe 2068 Pefhlcdk.exe 2416 Ppkmjlca.exe 2120 Pfeeff32.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 e18b82a2cdd5ce7ba804caf8796211b0N.exe 2152 e18b82a2cdd5ce7ba804caf8796211b0N.exe 2352 Imogcj32.exe 2352 Imogcj32.exe 2660 Jnbpqb32.exe 2660 Jnbpqb32.exe 2732 Jkfpjf32.exe 2732 Jkfpjf32.exe 1524 Jkimpfmg.exe 1524 Jkimpfmg.exe 1240 Jgpndg32.exe 1240 Jgpndg32.exe 1308 Jecnnk32.exe 1308 Jecnnk32.exe 1148 Jajocl32.exe 1148 Jajocl32.exe 2948 Kfggkc32.exe 2948 Kfggkc32.exe 1860 Kjepaa32.exe 1860 Kjepaa32.exe 1656 Kpbhjh32.exe 1656 Kpbhjh32.exe 1392 Kpdeoh32.exe 1392 Kpdeoh32.exe 2276 Keango32.exe 2276 Keango32.exe 2052 Kjpceebh.exe 2052 Kjpceebh.exe 2380 Lkbpke32.exe 2380 Lkbpke32.exe 1944 Lfippfej.exe 1944 Lfippfej.exe 836 Ldmaijdc.exe 836 Ldmaijdc.exe 1668 Laaabo32.exe 1668 Laaabo32.exe 1552 Lbbnjgik.exe 1552 Lbbnjgik.exe 2488 Llkbcl32.exe 2488 Llkbcl32.exe 2516 Lgpfpe32.exe 2516 Lgpfpe32.exe 2324 Mlmoilni.exe 2324 Mlmoilni.exe 1684 Mgbcfdmo.exe 1684 Mgbcfdmo.exe 1056 Mlolnllf.exe 1056 Mlolnllf.exe 2440 Monhjgkj.exe 2440 Monhjgkj.exe 2696 Mkdioh32.exe 2696 Mkdioh32.exe 1776 Mclqqeaq.exe 1776 Mclqqeaq.exe 2824 Mldeik32.exe 2824 Mldeik32.exe 2588 Maanab32.exe 2588 Maanab32.exe 2552 Mdojnm32.exe 2552 Mdojnm32.exe 3004 Mnhnfckm.exe 3004 Mnhnfckm.exe 2200 Naegmabc.exe 2200 Naegmabc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bflpbe32.dll Pglojj32.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Obnbpb32.exe File opened for modification C:\Windows\SysWOW64\Poacighp.exe Pmcgmkil.exe File created C:\Windows\SysWOW64\Ienjoljk.dll Cpdhna32.exe File created C:\Windows\SysWOW64\Gfoeel32.exe Fpemhb32.exe File created C:\Windows\SysWOW64\Melmmmif.dll Inmpklpj.exe File created C:\Windows\SysWOW64\Mdlfngcc.exe Manjaldo.exe File opened for modification C:\Windows\SysWOW64\Aadobccg.exe Qlggjlep.exe File opened for modification C:\Windows\SysWOW64\Kolhdbjh.exe Kmnlhg32.exe File created C:\Windows\SysWOW64\Kpoejbhe.exe Kghmhegc.exe File opened for modification C:\Windows\SysWOW64\Mpcgbhig.exe Mmdkfmjc.exe File opened for modification C:\Windows\SysWOW64\Apclnj32.exe Qmepanje.exe File created C:\Windows\SysWOW64\Kokahpfn.dll Ppkmjlca.exe File opened for modification C:\Windows\SysWOW64\Maiqfl32.exe Mokdja32.exe File created C:\Windows\SysWOW64\Najeid32.dll Keango32.exe File opened for modification C:\Windows\SysWOW64\Bdfahaaa.exe Bceeqi32.exe File created C:\Windows\SysWOW64\Einebddd.exe Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Jqbbhg32.exe Jjijkmbi.exe File created C:\Windows\SysWOW64\Jfagemej.exe Jcckibfg.exe File created C:\Windows\SysWOW64\Jipcbidn.exe Jfagemej.exe File created C:\Windows\SysWOW64\Hjnhlm32.dll Biccfalm.exe File created C:\Windows\SysWOW64\Lfippfej.exe Lkbpke32.exe File created C:\Windows\SysWOW64\Pfeeff32.exe Ppkmjlca.exe File created C:\Windows\SysWOW64\Bdohpb32.dll Cdkkcp32.exe File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe Idbnmgll.exe File created C:\Windows\SysWOW64\Befddlni.dll Ceqjla32.exe File created C:\Windows\SysWOW64\Oengjm32.dll Jgpndg32.exe File created C:\Windows\SysWOW64\Fpfjap32.dll Cglcek32.exe File created C:\Windows\SysWOW64\Jemffb32.dll Hnkffi32.exe File created C:\Windows\SysWOW64\Jqbbhg32.exe Jjijkmbi.exe File created C:\Windows\SysWOW64\Chkfjj32.dll Ocfiif32.exe File created C:\Windows\SysWOW64\Lpppjikm.dll Qcjoci32.exe File created C:\Windows\SysWOW64\Alaccj32.exe Aegkfpah.exe File created C:\Windows\SysWOW64\Nalmek32.dll Beldao32.exe File created C:\Windows\SysWOW64\Bkcfjk32.exe Bdinnqon.exe File created C:\Windows\SysWOW64\Aeackjhh.dll Efmlqigc.exe File created C:\Windows\SysWOW64\Kghmhegc.exe Kffqqm32.exe File created C:\Windows\SysWOW64\Nhebhipj.exe Ndjfgkha.exe File created C:\Windows\SysWOW64\Ofdeeb32.exe Ocfiif32.exe File opened for modification C:\Windows\SysWOW64\Ofgbkacb.exe Ochenfdn.exe File opened for modification C:\Windows\SysWOW64\Pijgbl32.exe Pfkkeq32.exe File opened for modification C:\Windows\SysWOW64\Acohnhab.exe Apclnj32.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Camnge32.exe File created C:\Windows\SysWOW64\Lmpeljkm.exe Ljbipolj.exe File opened for modification C:\Windows\SysWOW64\Bdcnhk32.exe Baealp32.exe File created C:\Windows\SysWOW64\Mmgqao32.dll Ldmaijdc.exe File created C:\Windows\SysWOW64\Booqgija.dll Cbjnqh32.exe File created C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe File opened for modification C:\Windows\SysWOW64\Hnkffi32.exe Hhnnnbaj.exe File created C:\Windows\SysWOW64\Nnbjpqoa.exe Nkdndeon.exe File opened for modification C:\Windows\SysWOW64\Bmlbaqfh.exe Bfbjdf32.exe File created C:\Windows\SysWOW64\Jnbpqb32.exe Imogcj32.exe File opened for modification C:\Windows\SysWOW64\Qbobaf32.exe Qldjdlgb.exe File created C:\Windows\SysWOW64\Iocioq32.exe Ihiabfhk.exe File created C:\Windows\SysWOW64\Acadchoo.exe Amglgn32.exe File opened for modification C:\Windows\SysWOW64\Abjeejep.exe Apkihofl.exe File created C:\Windows\SysWOW64\Faijggao.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Leaohdkk.dll Glnkcc32.exe File created C:\Windows\SysWOW64\Ofmlooqi.dll Pgodcich.exe File opened for modification C:\Windows\SysWOW64\Fpemhb32.exe Fmfalg32.exe File opened for modification C:\Windows\SysWOW64\Pjbjjc32.exe Pkojoghl.exe File opened for modification C:\Windows\SysWOW64\Piohgbng.exe Pbepkh32.exe File created C:\Windows\SysWOW64\Mgbkgheh.dll Gfoeel32.exe File created C:\Windows\SysWOW64\Kpjhnfof.exe Kjmoeo32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcffefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihiabfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbojjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acohnhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqhapdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiiiine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjkcile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnqphhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapaaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiqfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odflmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcddopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdkfmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhbabif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekjal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opccallb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almihjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cniajdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkgog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhnfckm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpgibbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nommodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfajia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipcbidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcmehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpmimbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccgheib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdfmbjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahnapmie.dll" Fpemhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgpch32.dll" Hehhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Occlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ochenfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfeeff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bklpjlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goocenaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cniajdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggpcipi.dll" Ijdppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpmakgc.dll" Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfjmik.dll" Mebpakbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdkfmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akjfgh32.dll" Neblqoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgmmkof.dll" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnpmio.dll" Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpdeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncipjieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll" Dnhefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dheoedma.dll" Jkcmjpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bakaaepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll" Cbkgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpemhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhec32.dll" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll" Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll" Bmgifa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 e18b82a2cdd5ce7ba804caf8796211b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obcffefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdaehpn.dll" Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poajppaa.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmhbk32.dll" Gleqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opccallb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll" Cglcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmggp32.dll" Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhgp32.dll" Manjaldo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegmaomi.dll" Ongckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaofgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkcmjpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmfe32.dll" Acadchoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Almihjlj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2352 2152 e18b82a2cdd5ce7ba804caf8796211b0N.exe 30 PID 2152 wrote to memory of 2352 2152 e18b82a2cdd5ce7ba804caf8796211b0N.exe 30 PID 2152 wrote to memory of 2352 2152 e18b82a2cdd5ce7ba804caf8796211b0N.exe 30 PID 2152 wrote to memory of 2352 2152 e18b82a2cdd5ce7ba804caf8796211b0N.exe 30 PID 2352 wrote to memory of 2660 2352 Imogcj32.exe 31 PID 2352 wrote to memory of 2660 2352 Imogcj32.exe 31 PID 2352 wrote to memory of 2660 2352 Imogcj32.exe 31 PID 2352 wrote to memory of 2660 2352 Imogcj32.exe 31 PID 2660 wrote to memory of 2732 2660 Jnbpqb32.exe 32 PID 2660 wrote to memory of 2732 2660 Jnbpqb32.exe 32 PID 2660 wrote to memory of 2732 2660 Jnbpqb32.exe 32 PID 2660 wrote to memory of 2732 2660 Jnbpqb32.exe 32 PID 2732 wrote to memory of 1524 2732 Jkfpjf32.exe 33 PID 2732 wrote to memory of 1524 2732 Jkfpjf32.exe 33 PID 2732 wrote to memory of 1524 2732 Jkfpjf32.exe 33 PID 2732 wrote to memory of 1524 2732 Jkfpjf32.exe 33 PID 1524 wrote to memory of 1240 1524 Jkimpfmg.exe 34 PID 1524 wrote to memory of 1240 1524 Jkimpfmg.exe 34 PID 1524 wrote to memory of 1240 1524 Jkimpfmg.exe 34 PID 1524 wrote to memory of 1240 1524 Jkimpfmg.exe 34 PID 1240 wrote to memory of 1308 1240 Jgpndg32.exe 35 PID 1240 wrote to memory of 1308 1240 Jgpndg32.exe 35 PID 1240 wrote to memory of 1308 1240 Jgpndg32.exe 35 PID 1240 wrote to memory of 1308 1240 Jgpndg32.exe 35 PID 1308 wrote to memory of 1148 1308 Jecnnk32.exe 36 PID 1308 wrote to memory of 1148 1308 Jecnnk32.exe 36 PID 1308 wrote to memory of 1148 1308 Jecnnk32.exe 36 PID 1308 wrote to memory of 1148 1308 Jecnnk32.exe 36 PID 1148 wrote to memory of 2948 1148 Jajocl32.exe 37 PID 1148 wrote to memory of 2948 1148 Jajocl32.exe 37 PID 1148 wrote to memory of 2948 1148 Jajocl32.exe 37 PID 1148 wrote to memory of 2948 1148 Jajocl32.exe 37 PID 2948 wrote to memory of 1860 2948 Kfggkc32.exe 38 PID 2948 wrote to memory of 1860 2948 Kfggkc32.exe 38 PID 2948 wrote to memory of 1860 2948 Kfggkc32.exe 38 PID 2948 wrote to memory of 1860 2948 Kfggkc32.exe 38 PID 1860 wrote to memory of 1656 1860 Kjepaa32.exe 39 PID 1860 wrote to memory of 1656 1860 Kjepaa32.exe 39 PID 1860 wrote to memory of 1656 1860 Kjepaa32.exe 39 PID 1860 wrote to memory of 1656 1860 Kjepaa32.exe 39 PID 1656 wrote to memory of 1392 1656 Kpbhjh32.exe 40 PID 1656 wrote to memory of 1392 1656 Kpbhjh32.exe 40 PID 1656 wrote to memory of 1392 1656 Kpbhjh32.exe 40 PID 1656 wrote to memory of 1392 1656 Kpbhjh32.exe 40 PID 1392 wrote to memory of 2276 1392 Kpdeoh32.exe 41 PID 1392 wrote to memory of 2276 1392 Kpdeoh32.exe 41 PID 1392 wrote to memory of 2276 1392 Kpdeoh32.exe 41 PID 1392 wrote to memory of 2276 1392 Kpdeoh32.exe 41 PID 2276 wrote to memory of 2052 2276 Keango32.exe 42 PID 2276 wrote to memory of 2052 2276 Keango32.exe 42 PID 2276 wrote to memory of 2052 2276 Keango32.exe 42 PID 2276 wrote to memory of 2052 2276 Keango32.exe 42 PID 2052 wrote to memory of 2380 2052 Kjpceebh.exe 43 PID 2052 wrote to memory of 2380 2052 Kjpceebh.exe 43 PID 2052 wrote to memory of 2380 2052 Kjpceebh.exe 43 PID 2052 wrote to memory of 2380 2052 Kjpceebh.exe 43 PID 2380 wrote to memory of 1944 2380 Lkbpke32.exe 44 PID 2380 wrote to memory of 1944 2380 Lkbpke32.exe 44 PID 2380 wrote to memory of 1944 2380 Lkbpke32.exe 44 PID 2380 wrote to memory of 1944 2380 Lkbpke32.exe 44 PID 1944 wrote to memory of 836 1944 Lfippfej.exe 45 PID 1944 wrote to memory of 836 1944 Lfippfej.exe 45 PID 1944 wrote to memory of 836 1944 Lfippfej.exe 45 PID 1944 wrote to memory of 836 1944 Lfippfej.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e18b82a2cdd5ce7ba804caf8796211b0N.exe"C:\Users\Admin\AppData\Local\Temp\e18b82a2cdd5ce7ba804caf8796211b0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Mkdioh32.exeC:\Windows\system32\Mkdioh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Mnhnfckm.exeC:\Windows\system32\Mnhnfckm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe34⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe39⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe42⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe43⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe45⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe47⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe48⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe49⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe50⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe51⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe53⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe55⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe57⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe58⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe61⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe62⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe63⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe66⤵PID:1836
-
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe67⤵PID:1516
-
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe68⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe69⤵PID:1612
-
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe70⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe71⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe72⤵PID:2564
-
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe73⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe74⤵PID:308
-
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe75⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe76⤵PID:1040
-
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe77⤵PID:2464
-
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe79⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe80⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe81⤵PID:2084
-
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe82⤵PID:1812
-
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe83⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe84⤵PID:1956
-
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe85⤵PID:2636
-
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe86⤵PID:2560
-
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe87⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe88⤵PID:2612
-
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe89⤵PID:2848
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe90⤵PID:324
-
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Bbchkime.exeC:\Windows\system32\Bbchkime.exe92⤵PID:480
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe93⤵PID:2164
-
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe94⤵PID:1160
-
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe97⤵PID:1068
-
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe99⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe101⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe103⤵
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe104⤵PID:1504
-
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe107⤵PID:1936
-
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe108⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe109⤵PID:1600
-
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe110⤵PID:1868
-
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe111⤵PID:1620
-
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe112⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe113⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe114⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe115⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe116⤵PID:848
-
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe117⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe118⤵PID:1420
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe119⤵PID:2340
-
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe120⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-