Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 06:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe
-
Size
407KB
-
MD5
75bb4d662d2b02f5dc3b432aa33a534f
-
SHA1
1972e49098f076e70ef7291b54ad4539b5ce694b
-
SHA256
ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5
-
SHA512
43b2da73e65021efddf48f91dc2b57a8729f71b5caf281b1b181c7528ea4845295fa63f19155b5b5c3d95dafbd9974d6dc412b416801bb615a63a301df792757
-
SSDEEP
6144:fUhuRQTpui6yYPaIGcjDpui6yYPaIGckSU05836pui6yYPaIGckN:DRGpV6yYP3pV6yYPg058KpV6yYPS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfhjmpam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjicnlqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgnpmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deficgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiccbfoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjpijjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikocggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhglpqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aacknfhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mchldhej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcahga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkclcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdjbcim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcqoqeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmimpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjheklqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdooongp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqoafkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalolemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoqjhiie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjpekkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feklja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqclpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jookedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamhdckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgaaiian.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbchfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olchgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dljoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfpkbbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbkdhohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loicnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfhcmkkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbchfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcnfllcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koodlbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmkjjbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfamg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejoagm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgfol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cggffocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfadkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjimpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhaob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gglimm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdlplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaihjbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hioefjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdkolm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2708 Dmgokcja.exe 988 Dhmchljg.exe 2324 Emnelbdi.exe 2860 Eiefqc32.exe 2788 Eelfedpa.exe 2764 Eabgjeef.exe 2648 Faedpdcc.exe 2216 Fbdpjgjf.exe 1364 Fkpeojha.exe 1116 Fkbadifn.exe 1252 Fkdoii32.exe 2984 Ggkoojip.exe 1544 Gcapckod.exe 2372 Gpfpmonn.exe 1536 Gllabp32.exe 1632 Glongpao.exe 668 Hkdkhl32.exe 580 Hqemlbqi.exe 1964 Hmlmacfn.exe 1244 Homfboco.exe 1616 Imaglc32.exe 3068 Ibnodj32.exe 2280 Ioapnn32.exe 3048 Ikhqbo32.exe 2368 Ieaekdkn.exe 968 Iniidj32.exe 2852 Ijpjik32.exe 2892 Jgdkbo32.exe 2744 Jalolemm.exe 1716 Jaolad32.exe 2076 Jfkdik32.exe 2928 Jcodcp32.exe 2236 Jjimpj32.exe 1828 Jfpndkel.exe 1744 Laenqg32.exe 2416 Lmlofhmb.exe 3024 Lgdcom32.exe 964 Lckdcn32.exe 1996 Lobehpok.exe 2944 Modano32.exe 2808 Mhmfgdch.exe 2232 Mpmdff32.exe 2576 Mdkmld32.exe 2196 Ncpjnahm.exe 2428 Ncbfcq32.exe 1684 Ncdciq32.exe 2720 Nfeljlqh.exe 1844 Oifelfni.exe 576 Obniel32.exe 2056 Oeobfgak.exe 2044 Oafclh32.exe 2440 Oahpahel.exe 856 Ppnmbd32.exe 2080 Pnbjca32.exe 276 Pnefiq32.exe 1048 Peakkj32.exe 1848 Pjndca32.exe 1756 Qhbdmeoe.exe 1380 Qhdabemb.exe 1168 Aamekk32.exe 1728 Amcfpl32.exe 2980 Aeokdn32.exe 836 Alkpgh32.exe 2728 Aahhoo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe 2152 ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe 2708 Dmgokcja.exe 2708 Dmgokcja.exe 988 Dhmchljg.exe 988 Dhmchljg.exe 2324 Emnelbdi.exe 2324 Emnelbdi.exe 2860 Eiefqc32.exe 2860 Eiefqc32.exe 2788 Eelfedpa.exe 2788 Eelfedpa.exe 2764 Eabgjeef.exe 2764 Eabgjeef.exe 2648 Faedpdcc.exe 2648 Faedpdcc.exe 2216 Fbdpjgjf.exe 2216 Fbdpjgjf.exe 1364 Fkpeojha.exe 1364 Fkpeojha.exe 1116 Fkbadifn.exe 1116 Fkbadifn.exe 1252 Fkdoii32.exe 1252 Fkdoii32.exe 2984 Ggkoojip.exe 2984 Ggkoojip.exe 1544 Gcapckod.exe 1544 Gcapckod.exe 2372 Gpfpmonn.exe 2372 Gpfpmonn.exe 1536 Gllabp32.exe 1536 Gllabp32.exe 1632 Glongpao.exe 1632 Glongpao.exe 668 Hkdkhl32.exe 668 Hkdkhl32.exe 580 Hqemlbqi.exe 580 Hqemlbqi.exe 1964 Hmlmacfn.exe 1964 Hmlmacfn.exe 1244 Homfboco.exe 1244 Homfboco.exe 1616 Imaglc32.exe 1616 Imaglc32.exe 3068 Ibnodj32.exe 3068 Ibnodj32.exe 2280 Ioapnn32.exe 2280 Ioapnn32.exe 3048 Ikhqbo32.exe 3048 Ikhqbo32.exe 2368 Ieaekdkn.exe 2368 Ieaekdkn.exe 968 Iniidj32.exe 968 Iniidj32.exe 2852 Ijpjik32.exe 2852 Ijpjik32.exe 2892 Jgdkbo32.exe 2892 Jgdkbo32.exe 2744 Jalolemm.exe 2744 Jalolemm.exe 1716 Jaolad32.exe 1716 Jaolad32.exe 2076 Jfkdik32.exe 2076 Jfkdik32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cghpgbce.exe Ckboba32.exe File created C:\Windows\SysWOW64\Mdqclpgd.exe Mikooghn.exe File created C:\Windows\SysWOW64\Aoqjhiie.exe Afhfpc32.exe File created C:\Windows\SysWOW64\Fqbeapqb.exe Fgjpijjb.exe File opened for modification C:\Windows\SysWOW64\Pokndp32.exe Pagmjlhj.exe File created C:\Windows\SysWOW64\Cnpnlc32.dll Nfhcmkkg.exe File created C:\Windows\SysWOW64\Ocbekmpi.exe Oqaliabh.exe File opened for modification C:\Windows\SysWOW64\Aeajcf32.exe Aliejq32.exe File opened for modification C:\Windows\SysWOW64\Gjeckk32.exe Fmabaf32.exe File opened for modification C:\Windows\SysWOW64\Loicnemp.exe Lmkgajnm.exe File created C:\Windows\SysWOW64\Gdmnphna.dll Mpgdaqmh.exe File created C:\Windows\SysWOW64\Kaeokg32.exe Kabbehjb.exe File created C:\Windows\SysWOW64\Hgbnkf32.dll Eddgaj32.exe File opened for modification C:\Windows\SysWOW64\Fgbpmh32.exe Fnjkdcii.exe File opened for modification C:\Windows\SysWOW64\Fcdpld32.exe Fdockgqp.exe File opened for modification C:\Windows\SysWOW64\Kbkgfgam.exe Kgdgaflh.exe File created C:\Windows\SysWOW64\Mfgpckkm.dll Bmfamg32.exe File opened for modification C:\Windows\SysWOW64\Lilehl32.exe Lcolpe32.exe File created C:\Windows\SysWOW64\Dnbmmmhd.dll Milagp32.exe File created C:\Windows\SysWOW64\Nhnoahal.dll Ehechn32.exe File created C:\Windows\SysWOW64\Gahcbbhl.dll Kglgnhgq.exe File created C:\Windows\SysWOW64\Bhqico32.exe Aljinncb.exe File created C:\Windows\SysWOW64\Oafclh32.exe Oeobfgak.exe File opened for modification C:\Windows\SysWOW64\Mpgdaqmh.exe Mdqclpgd.exe File created C:\Windows\SysWOW64\Fhgnie32.exe Flqmddah.exe File created C:\Windows\SysWOW64\Bjamab32.dll Kjfhgp32.exe File created C:\Windows\SysWOW64\Dldldj32.dll Lmpdoffo.exe File created C:\Windows\SysWOW64\Kjgjpiob.exe Kooimpao.exe File created C:\Windows\SysWOW64\Bpboimpo.dll Fhhiqm32.exe File opened for modification C:\Windows\SysWOW64\Emnelbdi.exe Dhmchljg.exe File created C:\Windows\SysWOW64\Fkdoii32.exe Fkbadifn.exe File created C:\Windows\SysWOW64\Olbqfb32.dll Eojpqpih.exe File created C:\Windows\SysWOW64\Ppkahi32.exe Pcgqoech.exe File opened for modification C:\Windows\SysWOW64\Iejnna32.exe Ihfmdm32.exe File created C:\Windows\SysWOW64\Gmhlmn32.dll Iqhhin32.exe File created C:\Windows\SysWOW64\Jiklpjeb.dll Nhbnjpic.exe File created C:\Windows\SysWOW64\Pemfae32.dll Plpgqc32.exe File created C:\Windows\SysWOW64\Khgidhlh.exe Koodlbeh.exe File created C:\Windows\SysWOW64\Jncenh32.exe Jigmeagl.exe File created C:\Windows\SysWOW64\Kljgohme.dll Amdkam32.exe File opened for modification C:\Windows\SysWOW64\Alifee32.exe Acabmpem.exe File opened for modification C:\Windows\SysWOW64\Bpdkajic.exe Bpbokj32.exe File opened for modification C:\Windows\SysWOW64\Inmdjjok.exe Inkgdjqn.exe File created C:\Windows\SysWOW64\Cpbfbf32.dll Iihkea32.exe File created C:\Windows\SysWOW64\Nbbihj32.dll Apdodc32.exe File created C:\Windows\SysWOW64\Ikafpbon.exe Hkoikcaq.exe File opened for modification C:\Windows\SysWOW64\Gnlbpman.exe Gfqmkk32.exe File created C:\Windows\SysWOW64\Jjehflbe.exe Jdipnedn.exe File created C:\Windows\SysWOW64\Hpelofdp.dll Dkafofde.exe File created C:\Windows\SysWOW64\Iekheb32.dll Gqgmdkgm.exe File created C:\Windows\SysWOW64\Opkkah32.dll Aacknfhl.exe File created C:\Windows\SysWOW64\Iniidj32.exe Ieaekdkn.exe File created C:\Windows\SysWOW64\Oqaliabh.exe Ogigpllh.exe File opened for modification C:\Windows\SysWOW64\Dejnme32.exe Dhcanahm.exe File created C:\Windows\SysWOW64\Bojmogak.exe Aogqihcm.exe File created C:\Windows\SysWOW64\Mjlejm32.dll Hadece32.exe File opened for modification C:\Windows\SysWOW64\Ikcpmieg.exe Ibklddof.exe File created C:\Windows\SysWOW64\Kaihjbno.exe Kceganoe.exe File created C:\Windows\SysWOW64\Ndjloanf.exe Nmohjopk.exe File created C:\Windows\SysWOW64\Geaamlck.exe Ghmach32.exe File created C:\Windows\SysWOW64\Fcdpld32.exe Fdockgqp.exe File opened for modification C:\Windows\SysWOW64\Aahhoo32.exe Alkpgh32.exe File created C:\Windows\SysWOW64\Boqjdl32.dll Mfpaqdnk.exe File created C:\Windows\SysWOW64\Pfpflenm.exe Pjiffd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2304 2492 WerFault.exe 810 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeqobld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbjmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabbehjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbighojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjpijjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpndkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljljflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnplogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqnclia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpcmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmohjopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhnmiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklkkoqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjgdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledplq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohmmojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjpqmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldljqpli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgkgmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daognhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqcmkjje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlppgihj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgmgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifajif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gninpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlbpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdpaqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcpmieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcaaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhiqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmbhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqnidh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kliboh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmchhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikgkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildollm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlafmcpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkejo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqnfbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogipnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemnbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbqol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpadek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabafcek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaqljman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnlia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofjmnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmkjiqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalolemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeffpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpdim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdklje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeblf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhklibbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfembi32.dll" Lblhep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomeip32.dll" Gegecopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iejnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfpflenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejoagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Polbemck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hebckd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lliemjpa.dll" Mjnohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecddd32.dll" Iehejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbadih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjocaaoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgaaiian.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aoqjhiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olhhmele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oefcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfdob32.dll" Lfpllg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjgfol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobici32.dll" Mbadih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngmbfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjimpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flqmddah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfhjfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egbaelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iikgkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdkmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifajif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcjodiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkeqobld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oibanm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meolcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpoindi.dll" Iihhmhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfhjmpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijpjik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpmbgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeapek32.dll" Amledj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlejm32.dll" Hadece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnemnbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npjonlee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnajicja.dll" Mfdmdlaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Momqbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdkheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pokndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhgqnio.dll" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifljcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbjpqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkocgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iajfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elbkddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enckek32.dll" Fbdpjgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiacp32.dll" Jkpkepnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dophid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njdagbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aamhdckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpqoofhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfdffojl.dll" Odckho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclbnhmo.dll" Cajmbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2708 2152 ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe 29 PID 2152 wrote to memory of 2708 2152 ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe 29 PID 2152 wrote to memory of 2708 2152 ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe 29 PID 2152 wrote to memory of 2708 2152 ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe 29 PID 2708 wrote to memory of 988 2708 Dmgokcja.exe 30 PID 2708 wrote to memory of 988 2708 Dmgokcja.exe 30 PID 2708 wrote to memory of 988 2708 Dmgokcja.exe 30 PID 2708 wrote to memory of 988 2708 Dmgokcja.exe 30 PID 988 wrote to memory of 2324 988 Dhmchljg.exe 31 PID 988 wrote to memory of 2324 988 Dhmchljg.exe 31 PID 988 wrote to memory of 2324 988 Dhmchljg.exe 31 PID 988 wrote to memory of 2324 988 Dhmchljg.exe 31 PID 2324 wrote to memory of 2860 2324 Emnelbdi.exe 32 PID 2324 wrote to memory of 2860 2324 Emnelbdi.exe 32 PID 2324 wrote to memory of 2860 2324 Emnelbdi.exe 32 PID 2324 wrote to memory of 2860 2324 Emnelbdi.exe 32 PID 2860 wrote to memory of 2788 2860 Eiefqc32.exe 33 PID 2860 wrote to memory of 2788 2860 Eiefqc32.exe 33 PID 2860 wrote to memory of 2788 2860 Eiefqc32.exe 33 PID 2860 wrote to memory of 2788 2860 Eiefqc32.exe 33 PID 2788 wrote to memory of 2764 2788 Eelfedpa.exe 34 PID 2788 wrote to memory of 2764 2788 Eelfedpa.exe 34 PID 2788 wrote to memory of 2764 2788 Eelfedpa.exe 34 PID 2788 wrote to memory of 2764 2788 Eelfedpa.exe 34 PID 2764 wrote to memory of 2648 2764 Eabgjeef.exe 35 PID 2764 wrote to memory of 2648 2764 Eabgjeef.exe 35 PID 2764 wrote to memory of 2648 2764 Eabgjeef.exe 35 PID 2764 wrote to memory of 2648 2764 Eabgjeef.exe 35 PID 2648 wrote to memory of 2216 2648 Faedpdcc.exe 36 PID 2648 wrote to memory of 2216 2648 Faedpdcc.exe 36 PID 2648 wrote to memory of 2216 2648 Faedpdcc.exe 36 PID 2648 wrote to memory of 2216 2648 Faedpdcc.exe 36 PID 2216 wrote to memory of 1364 2216 Fbdpjgjf.exe 37 PID 2216 wrote to memory of 1364 2216 Fbdpjgjf.exe 37 PID 2216 wrote to memory of 1364 2216 Fbdpjgjf.exe 37 PID 2216 wrote to memory of 1364 2216 Fbdpjgjf.exe 37 PID 1364 wrote to memory of 1116 1364 Fkpeojha.exe 38 PID 1364 wrote to memory of 1116 1364 Fkpeojha.exe 38 PID 1364 wrote to memory of 1116 1364 Fkpeojha.exe 38 PID 1364 wrote to memory of 1116 1364 Fkpeojha.exe 38 PID 1116 wrote to memory of 1252 1116 Fkbadifn.exe 39 PID 1116 wrote to memory of 1252 1116 Fkbadifn.exe 39 PID 1116 wrote to memory of 1252 1116 Fkbadifn.exe 39 PID 1116 wrote to memory of 1252 1116 Fkbadifn.exe 39 PID 1252 wrote to memory of 2984 1252 Fkdoii32.exe 40 PID 1252 wrote to memory of 2984 1252 Fkdoii32.exe 40 PID 1252 wrote to memory of 2984 1252 Fkdoii32.exe 40 PID 1252 wrote to memory of 2984 1252 Fkdoii32.exe 40 PID 2984 wrote to memory of 1544 2984 Ggkoojip.exe 41 PID 2984 wrote to memory of 1544 2984 Ggkoojip.exe 41 PID 2984 wrote to memory of 1544 2984 Ggkoojip.exe 41 PID 2984 wrote to memory of 1544 2984 Ggkoojip.exe 41 PID 1544 wrote to memory of 2372 1544 Gcapckod.exe 42 PID 1544 wrote to memory of 2372 1544 Gcapckod.exe 42 PID 1544 wrote to memory of 2372 1544 Gcapckod.exe 42 PID 1544 wrote to memory of 2372 1544 Gcapckod.exe 42 PID 2372 wrote to memory of 1536 2372 Gpfpmonn.exe 43 PID 2372 wrote to memory of 1536 2372 Gpfpmonn.exe 43 PID 2372 wrote to memory of 1536 2372 Gpfpmonn.exe 43 PID 2372 wrote to memory of 1536 2372 Gpfpmonn.exe 43 PID 1536 wrote to memory of 1632 1536 Gllabp32.exe 44 PID 1536 wrote to memory of 1632 1536 Gllabp32.exe 44 PID 1536 wrote to memory of 1632 1536 Gllabp32.exe 44 PID 1536 wrote to memory of 1632 1536 Gllabp32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe"C:\Users\Admin\AppData\Local\Temp\ddeed41fda6e5f6e1a5b425af33656db76c52af6aa8c8f484cac2912553e05a5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Hmlmacfn.exeC:\Windows\system32\Hmlmacfn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Ieaekdkn.exeC:\Windows\system32\Ieaekdkn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe36⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe37⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe38⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lckdcn32.exeC:\Windows\system32\Lckdcn32.exe39⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Lobehpok.exeC:\Windows\system32\Lobehpok.exe40⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe41⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mhmfgdch.exeC:\Windows\system32\Mhmfgdch.exe42⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe45⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe46⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe47⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe48⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe49⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe50⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe52⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Oahpahel.exeC:\Windows\system32\Oahpahel.exe53⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe54⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe56⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Peakkj32.exeC:\Windows\system32\Peakkj32.exe57⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Pjndca32.exeC:\Windows\system32\Pjndca32.exe58⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe60⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe61⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe62⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Aeokdn32.exeC:\Windows\system32\Aeokdn32.exe63⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Alkpgh32.exeC:\Windows\system32\Alkpgh32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe65⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe66⤵PID:2384
-
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe68⤵PID:936
-
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe69⤵PID:2516
-
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe70⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe71⤵PID:2284
-
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe72⤵PID:392
-
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe74⤵PID:1976
-
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe75⤵PID:1860
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe76⤵PID:1720
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe77⤵PID:1700
-
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe78⤵PID:2724
-
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe80⤵PID:2820
-
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe81⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Dcgmgh32.exeC:\Windows\system32\Dcgmgh32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe83⤵PID:604
-
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe84⤵PID:2520
-
C:\Windows\SysWOW64\Eeffpn32.exeC:\Windows\system32\Eeffpn32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe86⤵PID:1372
-
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe87⤵PID:1312
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe88⤵PID:952
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe89⤵PID:236
-
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe90⤵PID:2472
-
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe91⤵PID:1676
-
C:\Windows\SysWOW64\Fooghg32.exeC:\Windows\system32\Fooghg32.exe92⤵PID:1960
-
C:\Windows\SysWOW64\Fpncbjqj.exeC:\Windows\system32\Fpncbjqj.exe93⤵PID:2688
-
C:\Windows\SysWOW64\Feklja32.exeC:\Windows\system32\Feklja32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Gbolce32.exeC:\Windows\system32\Gbolce32.exe95⤵PID:2064
-
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe96⤵PID:2936
-
C:\Windows\SysWOW64\Ghnaaljp.exeC:\Windows\system32\Ghnaaljp.exe97⤵PID:1740
-
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Gkojcgga.exeC:\Windows\system32\Gkojcgga.exe99⤵PID:2316
-
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe100⤵PID:1608
-
C:\Windows\SysWOW64\Hpnpam32.exeC:\Windows\system32\Hpnpam32.exe101⤵PID:860
-
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe102⤵PID:2924
-
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Hadece32.exeC:\Windows\system32\Hadece32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe105⤵PID:2240
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe106⤵PID:2904
-
C:\Windows\SysWOW64\Ibklddof.exeC:\Windows\system32\Ibklddof.exe107⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe108⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Iqpiepcn.exeC:\Windows\system32\Iqpiepcn.exe109⤵PID:2072
-
C:\Windows\SysWOW64\Icqagkqp.exeC:\Windows\system32\Icqagkqp.exe110⤵PID:2060
-
C:\Windows\SysWOW64\Iqdbqp32.exeC:\Windows\system32\Iqdbqp32.exe111⤵PID:912
-
C:\Windows\SysWOW64\Ifajif32.exeC:\Windows\system32\Ifajif32.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jbhkngcd.exeC:\Windows\system32\Jbhkngcd.exe113⤵PID:1228
-
C:\Windows\SysWOW64\Jmnpkp32.exeC:\Windows\system32\Jmnpkp32.exe114⤵PID:764
-
C:\Windows\SysWOW64\Jeidob32.exeC:\Windows\system32\Jeidob32.exe115⤵PID:2760
-
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe116⤵PID:2832
-
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe117⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe118⤵PID:1812
-
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe119⤵PID:928
-
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe120⤵PID:1804
-
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe121⤵
- System Location Discovery: System Language Discovery
PID:428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-