Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 06:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7f6f3a39f3aab802704add7c4f85a20N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
e7f6f3a39f3aab802704add7c4f85a20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e7f6f3a39f3aab802704add7c4f85a20N.exe
-
Size
582KB
-
MD5
e7f6f3a39f3aab802704add7c4f85a20
-
SHA1
e747752229986e55bdea70dd207f30a19540db24
-
SHA256
1ad81a55ce5d4c37c8c290cff453b3e2715208579aff528c60c6a580fb77c1ff
-
SHA512
beccbd967980f8ba444824c7e82f064f202b06623d9224585950ad4d0716aadc989917639f3dbc6404d9220a5744f0823db065eba2209ed49dd405c186937d42
-
SSDEEP
6144:F5hueYIQHZ4ii7+1bRtPcCrc6egLCCGP7+1bRtPcCrhCRkR/+MG7+1bRtPcCrhr:fXpQHZ49YNrAgmCAYNrekcPYNrB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmcbio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momckfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpomdmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egepce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfkblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjohbgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgbfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhgonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjdpgic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejqmahdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemcookp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gckknqkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkgmkbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ephihbnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Japfphle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolondiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aendldnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmnpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eccadhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmocjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijfadkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkpnbdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbjlgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkmbliip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpbklpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjbnlqld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhhcpkmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmcbio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljdcqek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibaonfll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikkcnog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onipbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildhcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqgcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmpjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpggnfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diaecf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhdhipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlmqip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dciekjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Halkahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gadlio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaobcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfmefdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkqmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbblbb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2732 Dqknqleg.exe 2848 Dmaoem32.exe 2756 Ebhjdc32.exe 2884 Fpdqlkhe.exe 2712 Fjlaod32.exe 548 Fbhfcf32.exe 1080 Hghhngjb.exe 2388 Hafbid32.exe 1168 Inopce32.exe 1756 Jmnpkp32.exe 2408 Jmplqp32.exe 1972 Kakdpb32.exe 2324 Kbonmjph.exe 2320 Mdnffpif.exe 2468 Mkcagn32.exe 1656 Npgppdpc.exe 2948 Ngcebnen.exe 1936 Onipbl32.exe 1540 Oohmmojn.exe 1748 Pgfnfq32.exe 1160 Panboflg.exe 2816 Pjicnlqe.exe 2624 Pcahga32.exe 652 Pbfehn32.exe 2156 Qpmbgaid.exe 1600 Aendjh32.exe 2872 Apheke32.exe 2764 Blcokf32.exe 2916 Bodhlane.exe 2684 Chafpfqp.exe 2648 Caijik32.exe 1896 Cdlppf32.exe 2264 Clheeh32.exe 2980 Dcffmb32.exe 2004 Domgache.exe 1148 Efdohq32.exe 364 Ebkpma32.exe 1124 Epopff32.exe 976 Fijadk32.exe 2076 Flkjffkm.exe 1560 Fhakkg32.exe 1244 Fhdhqg32.exe 1928 Fpoleilj.exe 1700 Gpaikiig.exe 3008 Gmejdm32.exe 1988 Giljinne.exe 2532 Gfpkbbmo.exe 2988 Glmckikf.exe 1720 Gkbplepn.exe 2768 Hhhmki32.exe 2364 Hpcbol32.exe 2776 Hacoio32.exe 1208 Hlmpjl32.exe 2188 Heedbbdb.exe 2676 Igdqmeke.exe 1956 Ickaaf32.exe 2728 Icnngeof.exe 1460 Idagdm32.exe 812 Iqhhin32.exe 2168 Jbgdcapi.exe 1136 Jdhmel32.exe 2420 Jmcbio32.exe 332 Jqakompl.exe 2232 Jjjohbgl.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 e7f6f3a39f3aab802704add7c4f85a20N.exe 2428 e7f6f3a39f3aab802704add7c4f85a20N.exe 2732 Dqknqleg.exe 2732 Dqknqleg.exe 2848 Dmaoem32.exe 2848 Dmaoem32.exe 2756 Ebhjdc32.exe 2756 Ebhjdc32.exe 2884 Fpdqlkhe.exe 2884 Fpdqlkhe.exe 2712 Fjlaod32.exe 2712 Fjlaod32.exe 548 Fbhfcf32.exe 548 Fbhfcf32.exe 1080 Hghhngjb.exe 1080 Hghhngjb.exe 2388 Hafbid32.exe 2388 Hafbid32.exe 1168 Inopce32.exe 1168 Inopce32.exe 1756 Jmnpkp32.exe 1756 Jmnpkp32.exe 2408 Jmplqp32.exe 2408 Jmplqp32.exe 1972 Kakdpb32.exe 1972 Kakdpb32.exe 2324 Kbonmjph.exe 2324 Kbonmjph.exe 2320 Mdnffpif.exe 2320 Mdnffpif.exe 2468 Mkcagn32.exe 2468 Mkcagn32.exe 1656 Npgppdpc.exe 1656 Npgppdpc.exe 2948 Ngcebnen.exe 2948 Ngcebnen.exe 1936 Onipbl32.exe 1936 Onipbl32.exe 1540 Oohmmojn.exe 1540 Oohmmojn.exe 1748 Pgfnfq32.exe 1748 Pgfnfq32.exe 1160 Panboflg.exe 1160 Panboflg.exe 2816 Pjicnlqe.exe 2816 Pjicnlqe.exe 2624 Pcahga32.exe 2624 Pcahga32.exe 652 Pbfehn32.exe 652 Pbfehn32.exe 2156 Qpmbgaid.exe 2156 Qpmbgaid.exe 1600 Aendjh32.exe 1600 Aendjh32.exe 2872 Apheke32.exe 2872 Apheke32.exe 2764 Blcokf32.exe 2764 Blcokf32.exe 2916 Bodhlane.exe 2916 Bodhlane.exe 2684 Chafpfqp.exe 2684 Chafpfqp.exe 2648 Caijik32.exe 2648 Caijik32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Laojmojg.dll Lfhgng32.exe File created C:\Windows\SysWOW64\Jmoqmm32.dll Fgkbac32.exe File created C:\Windows\SysWOW64\Ophiff32.dll Cjnege32.exe File created C:\Windows\SysWOW64\Jdmnao32.dll Anbcio32.exe File opened for modification C:\Windows\SysWOW64\Ebnokjpf.exe Ejcjfgbk.exe File created C:\Windows\SysWOW64\Pnbihl32.dll Lhodgebh.exe File created C:\Windows\SysWOW64\Gdilpd32.dll Cmocjn32.exe File created C:\Windows\SysWOW64\Ppdbepon.exe Pbpbklpd.exe File created C:\Windows\SysWOW64\Eljnio32.exe Eeqele32.exe File created C:\Windows\SysWOW64\Aebljh32.dll Fpecddpi.exe File created C:\Windows\SysWOW64\Ibaonfll.exe Ibobhgno.exe File opened for modification C:\Windows\SysWOW64\Gcceqa32.exe Gikahkng.exe File opened for modification C:\Windows\SysWOW64\Jqakompl.exe Jmcbio32.exe File created C:\Windows\SysWOW64\Dcfkgmcj.dll Cgkoejig.exe File created C:\Windows\SysWOW64\Poglgb32.dll Nbincq32.exe File created C:\Windows\SysWOW64\Ickaaf32.exe Igdqmeke.exe File opened for modification C:\Windows\SysWOW64\Kchaniho.exe Klkmkoce.exe File created C:\Windows\SysWOW64\Lfohpidn.dll Nbaqhk32.exe File opened for modification C:\Windows\SysWOW64\Pigghpeh.exe Peinba32.exe File opened for modification C:\Windows\SysWOW64\Nmifla32.exe Nmgiga32.exe File created C:\Windows\SysWOW64\Ebpchl32.dll Boboknnf.exe File opened for modification C:\Windows\SysWOW64\Eiipfbgj.exe Dpqlmm32.exe File created C:\Windows\SysWOW64\Epimjd32.exe Emhdhipd.exe File created C:\Windows\SysWOW64\Fonaehmm.dll Gpppifii.exe File created C:\Windows\SysWOW64\Aladkaic.dll Ddnmhb32.exe File created C:\Windows\SysWOW64\Opaeok32.exe Ocmdeg32.exe File opened for modification C:\Windows\SysWOW64\Bqhffj32.exe Afbbiafj.exe File opened for modification C:\Windows\SysWOW64\Mhippbem.exe Lfhgng32.exe File created C:\Windows\SysWOW64\Gnaqdnnd.dll Bgffdk32.exe File created C:\Windows\SysWOW64\Dmlnbd32.exe Dcciiope.exe File created C:\Windows\SysWOW64\Gfadeaho.exe Gnfoao32.exe File opened for modification C:\Windows\SysWOW64\Lnflif32.exe Lgldmlil.exe File opened for modification C:\Windows\SysWOW64\Fbqllnco.exe Fhkhoedh.exe File created C:\Windows\SysWOW64\Eqjjhn32.dll Hpcbol32.exe File opened for modification C:\Windows\SysWOW64\Nmdfglhm.exe Ndlanf32.exe File created C:\Windows\SysWOW64\Dmpckbci.exe Dmmffbek.exe File opened for modification C:\Windows\SysWOW64\Oabafcek.exe Opaeok32.exe File opened for modification C:\Windows\SysWOW64\Cfidhcbm.exe Cefkkk32.exe File created C:\Windows\SysWOW64\Gakjcp32.exe Fedinobh.exe File created C:\Windows\SysWOW64\Ahdqdahc.exe Qechbf32.exe File created C:\Windows\SysWOW64\Aendjh32.exe Qpmbgaid.exe File created C:\Windows\SysWOW64\Oheoaa32.exe Oakgdgok.exe File created C:\Windows\SysWOW64\Fdmdpcnm.dll Omdbfo32.exe File created C:\Windows\SysWOW64\Jjheklqc.exe Jkbhjo32.exe File created C:\Windows\SysWOW64\Fhkmjj32.dll Fgjpijjb.exe File created C:\Windows\SysWOW64\Mkcfojmh.dll Dddodd32.exe File created C:\Windows\SysWOW64\Ejehmm32.dll Fanlbekb.exe File created C:\Windows\SysWOW64\Oppemb32.dll Bdghpggf.exe File created C:\Windows\SysWOW64\Mfbnfcli.exe Mmijmn32.exe File opened for modification C:\Windows\SysWOW64\Okciddnh.exe Obhdpaqm.exe File opened for modification C:\Windows\SysWOW64\Egepce32.exe Eeecibci.exe File created C:\Windows\SysWOW64\Cqpngocg.dll Hkgmkbih.exe File created C:\Windows\SysWOW64\Aeijmg32.dll Ogldfl32.exe File opened for modification C:\Windows\SysWOW64\Mafoal32.exe Mnefpq32.exe File created C:\Windows\SysWOW64\Aadnpa32.dll Bamfloef.exe File created C:\Windows\SysWOW64\Hoopdo32.dll Hbblbb32.exe File created C:\Windows\SysWOW64\Pkcjpn32.dll Pjicnlqe.exe File created C:\Windows\SysWOW64\Lglnblmj.dll Hnbhpl32.exe File opened for modification C:\Windows\SysWOW64\Ppkahi32.exe Pcgqoech.exe File created C:\Windows\SysWOW64\Bglnbdbj.dll Gmlokdgp.exe File created C:\Windows\SysWOW64\Ldqkqf32.exe Lodbhp32.exe File created C:\Windows\SysWOW64\Cidnjk32.dll Plbdfc32.exe File created C:\Windows\SysWOW64\Hnbhpl32.exe Hnpkkm32.exe File opened for modification C:\Windows\SysWOW64\Pplejj32.exe Pegalaad.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7f6f3a39f3aab802704add7c4f85a20N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcidqlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppclkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbpii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgbfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbaqfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcigjolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqgmnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmgncii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogodcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpckbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmjafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhkhoedh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgibpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpqhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnqhcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfilfiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqninhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfjid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjkfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbgbaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiodh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqjghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benbbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhodgebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmchp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqgqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diekle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halkahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggihhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imepio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpkdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkblc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbgpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Depgeiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmaoem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhmki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcolpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiekdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpkbbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopqoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhoeqide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmeokdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpppifii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohaimea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbkkgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogldfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgmjhfh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqmfcl32.dll" Hpejcnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddeal32.dll" Ebjfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfndga32.dll" Lmikhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Macpcccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmjpako.dll" Immnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klflfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfdpfep.dll" Diekle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmdpcnm.dll" Omdbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqpij32.dll" Lolbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fikkcnog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihgikml.dll" Mnefpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmdfglhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beqogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggcan32.dll" Liaggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfifc32.dll" Cceenilo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfknpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gngdcpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglcoefp.dll" Ijbjbdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliooeco.dll" Pegalaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmdbf32.dll" Ppkahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejldfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfohoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnjml32.dll" Lgcooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nanlla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epimjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhhmki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opdkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idabbpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqhffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biegpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlliof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fddcqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgcflnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcaekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjqfp32.dll" Bokapipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdacfn32.dll" Efdohq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgldmlil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecabfpff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqninhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lodbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgkghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foqgqppk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chafpfqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponbjgho.dll" Fkfcdpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nngjbfpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agmbolin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakbajhh.dll" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnkdlagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedabe32.dll" Kakdpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfjeppd.dll" Dafeaapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haggkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmjhejph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmdmcpk.dll" Hfkidh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kchaniho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkqnchgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmgfpki.dll" Iikneggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emhdhipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdlkmb32.dll" Mcmiqdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odflnaqp.dll" Hacoio32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2732 2428 e7f6f3a39f3aab802704add7c4f85a20N.exe 29 PID 2428 wrote to memory of 2732 2428 e7f6f3a39f3aab802704add7c4f85a20N.exe 29 PID 2428 wrote to memory of 2732 2428 e7f6f3a39f3aab802704add7c4f85a20N.exe 29 PID 2428 wrote to memory of 2732 2428 e7f6f3a39f3aab802704add7c4f85a20N.exe 29 PID 2732 wrote to memory of 2848 2732 Dqknqleg.exe 30 PID 2732 wrote to memory of 2848 2732 Dqknqleg.exe 30 PID 2732 wrote to memory of 2848 2732 Dqknqleg.exe 30 PID 2732 wrote to memory of 2848 2732 Dqknqleg.exe 30 PID 2848 wrote to memory of 2756 2848 Dmaoem32.exe 31 PID 2848 wrote to memory of 2756 2848 Dmaoem32.exe 31 PID 2848 wrote to memory of 2756 2848 Dmaoem32.exe 31 PID 2848 wrote to memory of 2756 2848 Dmaoem32.exe 31 PID 2756 wrote to memory of 2884 2756 Ebhjdc32.exe 32 PID 2756 wrote to memory of 2884 2756 Ebhjdc32.exe 32 PID 2756 wrote to memory of 2884 2756 Ebhjdc32.exe 32 PID 2756 wrote to memory of 2884 2756 Ebhjdc32.exe 32 PID 2884 wrote to memory of 2712 2884 Fpdqlkhe.exe 33 PID 2884 wrote to memory of 2712 2884 Fpdqlkhe.exe 33 PID 2884 wrote to memory of 2712 2884 Fpdqlkhe.exe 33 PID 2884 wrote to memory of 2712 2884 Fpdqlkhe.exe 33 PID 2712 wrote to memory of 548 2712 Fjlaod32.exe 34 PID 2712 wrote to memory of 548 2712 Fjlaod32.exe 34 PID 2712 wrote to memory of 548 2712 Fjlaod32.exe 34 PID 2712 wrote to memory of 548 2712 Fjlaod32.exe 34 PID 548 wrote to memory of 1080 548 Fbhfcf32.exe 35 PID 548 wrote to memory of 1080 548 Fbhfcf32.exe 35 PID 548 wrote to memory of 1080 548 Fbhfcf32.exe 35 PID 548 wrote to memory of 1080 548 Fbhfcf32.exe 35 PID 1080 wrote to memory of 2388 1080 Hghhngjb.exe 36 PID 1080 wrote to memory of 2388 1080 Hghhngjb.exe 36 PID 1080 wrote to memory of 2388 1080 Hghhngjb.exe 36 PID 1080 wrote to memory of 2388 1080 Hghhngjb.exe 36 PID 2388 wrote to memory of 1168 2388 Hafbid32.exe 37 PID 2388 wrote to memory of 1168 2388 Hafbid32.exe 37 PID 2388 wrote to memory of 1168 2388 Hafbid32.exe 37 PID 2388 wrote to memory of 1168 2388 Hafbid32.exe 37 PID 1168 wrote to memory of 1756 1168 Inopce32.exe 38 PID 1168 wrote to memory of 1756 1168 Inopce32.exe 38 PID 1168 wrote to memory of 1756 1168 Inopce32.exe 38 PID 1168 wrote to memory of 1756 1168 Inopce32.exe 38 PID 1756 wrote to memory of 2408 1756 Jmnpkp32.exe 39 PID 1756 wrote to memory of 2408 1756 Jmnpkp32.exe 39 PID 1756 wrote to memory of 2408 1756 Jmnpkp32.exe 39 PID 1756 wrote to memory of 2408 1756 Jmnpkp32.exe 39 PID 2408 wrote to memory of 1972 2408 Jmplqp32.exe 40 PID 2408 wrote to memory of 1972 2408 Jmplqp32.exe 40 PID 2408 wrote to memory of 1972 2408 Jmplqp32.exe 40 PID 2408 wrote to memory of 1972 2408 Jmplqp32.exe 40 PID 1972 wrote to memory of 2324 1972 Kakdpb32.exe 41 PID 1972 wrote to memory of 2324 1972 Kakdpb32.exe 41 PID 1972 wrote to memory of 2324 1972 Kakdpb32.exe 41 PID 1972 wrote to memory of 2324 1972 Kakdpb32.exe 41 PID 2324 wrote to memory of 2320 2324 Kbonmjph.exe 42 PID 2324 wrote to memory of 2320 2324 Kbonmjph.exe 42 PID 2324 wrote to memory of 2320 2324 Kbonmjph.exe 42 PID 2324 wrote to memory of 2320 2324 Kbonmjph.exe 42 PID 2320 wrote to memory of 2468 2320 Mdnffpif.exe 43 PID 2320 wrote to memory of 2468 2320 Mdnffpif.exe 43 PID 2320 wrote to memory of 2468 2320 Mdnffpif.exe 43 PID 2320 wrote to memory of 2468 2320 Mdnffpif.exe 43 PID 2468 wrote to memory of 1656 2468 Mkcagn32.exe 44 PID 2468 wrote to memory of 1656 2468 Mkcagn32.exe 44 PID 2468 wrote to memory of 1656 2468 Mkcagn32.exe 44 PID 2468 wrote to memory of 1656 2468 Mkcagn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f6f3a39f3aab802704add7c4f85a20N.exe"C:\Users\Admin\AppData\Local\Temp\e7f6f3a39f3aab802704add7c4f85a20N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Fbhfcf32.exeC:\Windows\system32\Fbhfcf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Hafbid32.exeC:\Windows\system32\Hafbid32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Jmnpkp32.exeC:\Windows\system32\Jmnpkp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Kakdpb32.exeC:\Windows\system32\Kakdpb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mkcagn32.exeC:\Windows\system32\Mkcagn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Npgppdpc.exeC:\Windows\system32\Npgppdpc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Caijik32.exeC:\Windows\system32\Caijik32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe33⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe34⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe35⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe36⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe39⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe40⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe42⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Fhdhqg32.exeC:\Windows\system32\Fhdhqg32.exe43⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe44⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe45⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe46⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe47⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe49⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe50⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Hacoio32.exeC:\Windows\system32\Hacoio32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Hlmpjl32.exeC:\Windows\system32\Hlmpjl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Ickaaf32.exeC:\Windows\system32\Ickaaf32.exe57⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe58⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe59⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe60⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe61⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe64⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe66⤵PID:1064
-
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe67⤵PID:2080
-
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe68⤵PID:1596
-
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe69⤵PID:2868
-
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe71⤵PID:2656
-
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe72⤵PID:2492
-
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe73⤵PID:2184
-
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe74⤵PID:2972
-
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe76⤵PID:2068
-
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe78⤵PID:2412
-
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe80⤵PID:2224
-
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe82⤵PID:1484
-
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe83⤵PID:2124
-
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe84⤵PID:896
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe85⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe86⤵PID:2140
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe87⤵PID:2088
-
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe89⤵
- System Location Discovery: System Language Discovery
PID:512 -
C:\Windows\SysWOW64\Abodlk32.exeC:\Windows\system32\Abodlk32.exe90⤵PID:2120
-
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe91⤵PID:2528
-
C:\Windows\SysWOW64\Aliejq32.exeC:\Windows\system32\Aliejq32.exe92⤵PID:2524
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe93⤵PID:2820
-
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe95⤵PID:1228
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe96⤵
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe97⤵PID:636
-
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe98⤵PID:1184
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe99⤵PID:1624
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe100⤵PID:2952
-
C:\Windows\SysWOW64\Cgcoal32.exeC:\Windows\system32\Cgcoal32.exe101⤵PID:2240
-
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe102⤵PID:2620
-
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe103⤵PID:2272
-
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe104⤵PID:1728
-
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe108⤵PID:2960
-
C:\Windows\SysWOW64\Dlbanfbo.exeC:\Windows\system32\Dlbanfbo.exe109⤵PID:2996
-
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe110⤵PID:3016
-
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe111⤵PID:2400
-
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe112⤵
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Eddlcgjb.exeC:\Windows\system32\Eddlcgjb.exe113⤵PID:2296
-
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe114⤵PID:1712
-
C:\Windows\SysWOW64\Eqninhmc.exeC:\Windows\system32\Eqninhmc.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ekcmkamj.exeC:\Windows\system32\Ekcmkamj.exe116⤵PID:2032
-
C:\Windows\SysWOW64\Fpecddpi.exeC:\Windows\system32\Fpecddpi.exe117⤵
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Fmicnhob.exeC:\Windows\system32\Fmicnhob.exe118⤵PID:852
-
C:\Windows\SysWOW64\Fjmdgmnl.exeC:\Windows\system32\Fjmdgmnl.exe119⤵PID:2496
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe120⤵PID:2000
-
C:\Windows\SysWOW64\Fffabman.exeC:\Windows\system32\Fffabman.exe121⤵PID:2724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-