Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 21:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe
-
Size
89KB
-
MD5
7df1636a86a3fa14fcfa4ac3737f0c00
-
SHA1
37a313bbbafa9a953c9cb75490fe0a55a20b08f3
-
SHA256
3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484b
-
SHA512
2fa68195b310fa72cc53c149b83a2c39f72b0834da66b1e2b526b2bb928f63b8ecdaef7130930f121a12738cb1db0f1027ed7225eb54d0003d40e27113f27cce
-
SSDEEP
1536:KKzCiCoYhNihhpXr8+t+ekPHTdXvLDVFsfzcilExkg8F:KKeiCoYrUDI+cPzdX/Yfzcilakgw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhbic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgoaplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkdkbjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amojnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnfam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbacdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoddhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beaaplbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pacgcijn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gogipbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhcmaoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipejejfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdaajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hikppghf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmifk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmocpbbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gandokaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kojihjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhkhoedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnpelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngllkbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keocgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmaomnjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlackjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcljlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nibgjkdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampbbbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgbiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmnch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobpjbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfnmjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdcjnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjgpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conofmpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobnljhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cifgcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgmkbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpnbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocilfljc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooianpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkidkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feljja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amnheklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlfohb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peipkjge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbfbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Idhplaoe.exe 2104 Impdeg32.exe 2060 Ihehbpel.exe 2736 Iapjad32.exe 2700 Ipefba32.exe 2676 Jbfpcl32.exe 2560 Jpjpmqjl.exe 2196 Jegheghc.exe 2932 Jkfncn32.exe 956 Kpecad32.exe 1772 Kckeno32.exe 564 Kcmbco32.exe 2848 Lkhfhaea.exe 1864 Ldqkqf32.exe 2984 Lhodgebh.exe 2188 Lgcqhagp.exe 2332 Lgfmmaem.exe 2280 Lqnbffkn.exe 2492 Mjgfol32.exe 1744 Mocogc32.exe 1652 Minpeh32.exe 592 Mbgdonkd.exe 2312 Mpkehbjm.exe 2412 Nnpbinoe.exe 1536 Nejjfh32.exe 2992 Nbnkomel.exe 2076 Nlfohb32.exe 1096 Nfbmnpfh.exe 2668 Niqijkel.exe 2392 Npjage32.exe 2568 Oabdol32.exe 2544 Okkhhb32.exe 2028 Ohoiaf32.exe 3044 Ooianpif.exe 2580 Pieodn32.exe 836 Pdjcaf32.exe 2444 Pdmpgfae.exe 2852 Pcbmhb32.exe 2844 Qhoeqide.exe 1968 Qlmnfh32.exe 944 Adhbkj32.exe 2176 Agikmeeg.exe 2152 Aqapek32.exe 1316 Ajladp32.exe 2348 Agpamd32.exe 1676 Bqhffj32.exe 1972 Bfeonq32.exe 2488 Bomcgfjh.exe 1656 Bfgkdp32.exe 2008 Biegpl32.exe 2244 Bbnlia32.exe 1240 Bihdfkoe.exe 2756 Bnemnbmm.exe 2688 Bgmagh32.exe 2588 Bbbedqcc.exe 2612 Beaaplbg.exe 1252 Cgpnlgak.exe 3060 Cbebjpaa.exe 940 Ckmfbf32.exe 2628 Cefkkk32.exe 1108 Cjbccb32.exe 2380 Cgfdmf32.exe 2376 Cbpendha.exe 1540 Clhifj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1568 3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe 1568 3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe 2032 Idhplaoe.exe 2032 Idhplaoe.exe 2104 Impdeg32.exe 2104 Impdeg32.exe 2060 Ihehbpel.exe 2060 Ihehbpel.exe 2736 Iapjad32.exe 2736 Iapjad32.exe 2700 Ipefba32.exe 2700 Ipefba32.exe 2676 Jbfpcl32.exe 2676 Jbfpcl32.exe 2560 Jpjpmqjl.exe 2560 Jpjpmqjl.exe 2196 Jegheghc.exe 2196 Jegheghc.exe 2932 Jkfncn32.exe 2932 Jkfncn32.exe 956 Kpecad32.exe 956 Kpecad32.exe 1772 Kckeno32.exe 1772 Kckeno32.exe 564 Kcmbco32.exe 564 Kcmbco32.exe 2848 Lkhfhaea.exe 2848 Lkhfhaea.exe 1864 Ldqkqf32.exe 1864 Ldqkqf32.exe 2984 Lhodgebh.exe 2984 Lhodgebh.exe 2188 Lgcqhagp.exe 2188 Lgcqhagp.exe 2332 Lgfmmaem.exe 2332 Lgfmmaem.exe 2280 Lqnbffkn.exe 2280 Lqnbffkn.exe 2492 Mjgfol32.exe 2492 Mjgfol32.exe 1744 Mocogc32.exe 1744 Mocogc32.exe 1652 Minpeh32.exe 1652 Minpeh32.exe 592 Mbgdonkd.exe 592 Mbgdonkd.exe 2312 Mpkehbjm.exe 2312 Mpkehbjm.exe 2412 Nnpbinoe.exe 2412 Nnpbinoe.exe 1536 Nejjfh32.exe 1536 Nejjfh32.exe 2992 Nbnkomel.exe 2992 Nbnkomel.exe 2076 Nlfohb32.exe 2076 Nlfohb32.exe 1096 Nfbmnpfh.exe 1096 Nfbmnpfh.exe 2668 Niqijkel.exe 2668 Niqijkel.exe 2392 Npjage32.exe 2392 Npjage32.exe 2568 Oabdol32.exe 2568 Oabdol32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jonffc32.exe Jlpijggf.exe File created C:\Windows\SysWOW64\Hkgmkbih.exe Hbohblcg.exe File created C:\Windows\SysWOW64\Nqnicl32.exe Njdagbjd.exe File opened for modification C:\Windows\SysWOW64\Ponlddgf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kcofnejq.exe Jaajaikm.exe File created C:\Windows\SysWOW64\Jeebeo32.dll Qklhkbcj.exe File opened for modification C:\Windows\SysWOW64\Anlammpk.exe Amkdee32.exe File created C:\Windows\SysWOW64\Kckeno32.exe Kpecad32.exe File opened for modification C:\Windows\SysWOW64\Dgldbp32.exe Dlgpeg32.exe File created C:\Windows\SysWOW64\Hnpnfmod.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ilheam32.exe Heomdbla.exe File opened for modification C:\Windows\SysWOW64\Hipodl32.exe Hphjlfbi.exe File created C:\Windows\SysWOW64\Kmnkjq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nbbdlhlh.exe Nbpggink.exe File created C:\Windows\SysWOW64\Lkdloakn.exe Process not Found File created C:\Windows\SysWOW64\Qfnmjb32.exe Pijmanoe.exe File created C:\Windows\SysWOW64\Blknki32.dll Aplppela.exe File opened for modification C:\Windows\SysWOW64\Ikplopnp.exe Ibghfj32.exe File created C:\Windows\SysWOW64\Dffbmimc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nfbmnpfh.exe Nlfohb32.exe File created C:\Windows\SysWOW64\Koaohila.exe Kamooe32.exe File created C:\Windows\SysWOW64\Hjpbie32.exe Hpknlm32.exe File opened for modification C:\Windows\SysWOW64\Oloapmnc.exe Obfmgh32.exe File created C:\Windows\SysWOW64\Aehkjm32.dll Amcaqj32.exe File opened for modification C:\Windows\SysWOW64\Cfqpedlp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ddkdkk32.exe Dlppgihj.exe File opened for modification C:\Windows\SysWOW64\Acoegp32.exe Anbmoi32.exe File created C:\Windows\SysWOW64\Ekdkil32.dll Cmibdh32.exe File opened for modification C:\Windows\SysWOW64\Ccmjni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oqhemjef.exe Ncdecefm.exe File created C:\Windows\SysWOW64\Efdjhocj.exe Eniecmfp.exe File opened for modification C:\Windows\SysWOW64\Mcdfnffo.exe Process not Found File created C:\Windows\SysWOW64\Fibegfae.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oipdhm32.exe Ofbhlbja.exe File created C:\Windows\SysWOW64\Dlgpeg32.exe Dgjgmp32.exe File opened for modification C:\Windows\SysWOW64\Nbjdhj32.exe Nkblgm32.exe File opened for modification C:\Windows\SysWOW64\Bndhle32.exe Bcodol32.exe File opened for modification C:\Windows\SysWOW64\Cfgcaf32.exe Chcbhbio.exe File created C:\Windows\SysWOW64\Fjlebelq.dll Ebbipj32.exe File created C:\Windows\SysWOW64\Gilhbe32.exe Process not Found File created C:\Windows\SysWOW64\Eomaha32.exe Ebfqbp32.exe File created C:\Windows\SysWOW64\Jcnlcn32.dll Bkabejfg.exe File opened for modification C:\Windows\SysWOW64\Ebbipj32.exe Efkhkifo.exe File opened for modification C:\Windows\SysWOW64\Fpfhaj32.exe Ffndidol.exe File opened for modification C:\Windows\SysWOW64\Iiekie32.exe Ioljhg32.exe File created C:\Windows\SysWOW64\Mnbbagei.exe Mfgmme32.exe File opened for modification C:\Windows\SysWOW64\Deloen32.exe Dkfjhela.exe File created C:\Windows\SysWOW64\Pddped32.exe Poggmn32.exe File created C:\Windows\SysWOW64\Mjnkleef.dll Mlfbkkdb.exe File created C:\Windows\SysWOW64\Elfgbmdh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alponiga.exe Anlodd32.exe File opened for modification C:\Windows\SysWOW64\Gdnkhm32.exe Giifkd32.exe File created C:\Windows\SysWOW64\Peipkjge.exe Pchdcb32.exe File created C:\Windows\SysWOW64\Kcbmea32.dll Cckjeq32.exe File created C:\Windows\SysWOW64\Kdimaeid.dll Mhlagcbb.exe File created C:\Windows\SysWOW64\Gmdanlgd.dll Anikdo32.exe File created C:\Windows\SysWOW64\Ejclggme.dll Knemcf32.exe File created C:\Windows\SysWOW64\Jaobhk32.exe Ifjnkbai.exe File created C:\Windows\SysWOW64\Iihkea32.exe Incfhh32.exe File created C:\Windows\SysWOW64\Fbledk32.dll Mfkcdgfi.exe File created C:\Windows\SysWOW64\Gfkbpk32.dll Nmiakdll.exe File created C:\Windows\SysWOW64\Aceokhin.exe Process not Found File created C:\Windows\SysWOW64\Goccipnb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmeificb.exe Ghhanbek.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4376 2736 Process not Found 1240 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glaejokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgaibbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limjeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbloon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqnbffkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdjgnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhckdnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbimj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaonhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdogceln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheloh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deloen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcfklgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmibdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfapj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebblibdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkhhigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diackmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgmonga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clappaon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdlodmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknlmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadjjfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioljhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepccldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmikdml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdiamnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnbqcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciagnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emojih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcbhbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcalindb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maojlaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpkjlgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfgdedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqknhmdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnddkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjhhacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbpfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmlkdeo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpcfhpe.dll" Bgdkjpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hapaekng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplekcch.dll" Ndmneb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fahfcjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onojepoj.dll" Chcbhbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjchad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbgcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkjibnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcmoafph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmoagi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mklegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhadob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmqajk32.dll" Efinoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgjhnhh.dll" Lgbiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdikaci.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoamckg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbadgl32.dll" Pnalqqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgppcbob.dll" Jgkhhigb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefnlime.dll" Eeeogdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlojcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmohjopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfbogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcpbmhp.dll" Gfeadjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehoqklia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hahpih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbcnoc32.dll" Llkdieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opkdkbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbddeb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oheoaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glckehfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianjii32.dll" Oeobidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fldgjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdbon32.dll" Qhadob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aepqac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alponiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbicmfqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhcgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Limjeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgkam32.dll" Knjfofme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkeimmdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmbigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icjjilho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpedpji.dll" Ppjjpoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moapchoj.dll" Ikbidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplcpm32.dll" Ihehbpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhgaocg.dll" Dcqfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchfpi32.dll" Kcalindb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdkppgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgonqhqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinflf32.dll" Pplejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgebnqf.dll" Fnqdgkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqcoe32.dll" Cbhhbojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnkedemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppddko32.dll" Lnkedemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfalecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghckjj32.dll" Jfbpfl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2032 1568 3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe 29 PID 1568 wrote to memory of 2032 1568 3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe 29 PID 1568 wrote to memory of 2032 1568 3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe 29 PID 1568 wrote to memory of 2032 1568 3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe 29 PID 2032 wrote to memory of 2104 2032 Idhplaoe.exe 30 PID 2032 wrote to memory of 2104 2032 Idhplaoe.exe 30 PID 2032 wrote to memory of 2104 2032 Idhplaoe.exe 30 PID 2032 wrote to memory of 2104 2032 Idhplaoe.exe 30 PID 2104 wrote to memory of 2060 2104 Impdeg32.exe 31 PID 2104 wrote to memory of 2060 2104 Impdeg32.exe 31 PID 2104 wrote to memory of 2060 2104 Impdeg32.exe 31 PID 2104 wrote to memory of 2060 2104 Impdeg32.exe 31 PID 2060 wrote to memory of 2736 2060 Ihehbpel.exe 32 PID 2060 wrote to memory of 2736 2060 Ihehbpel.exe 32 PID 2060 wrote to memory of 2736 2060 Ihehbpel.exe 32 PID 2060 wrote to memory of 2736 2060 Ihehbpel.exe 32 PID 2736 wrote to memory of 2700 2736 Iapjad32.exe 33 PID 2736 wrote to memory of 2700 2736 Iapjad32.exe 33 PID 2736 wrote to memory of 2700 2736 Iapjad32.exe 33 PID 2736 wrote to memory of 2700 2736 Iapjad32.exe 33 PID 2700 wrote to memory of 2676 2700 Ipefba32.exe 34 PID 2700 wrote to memory of 2676 2700 Ipefba32.exe 34 PID 2700 wrote to memory of 2676 2700 Ipefba32.exe 34 PID 2700 wrote to memory of 2676 2700 Ipefba32.exe 34 PID 2676 wrote to memory of 2560 2676 Jbfpcl32.exe 35 PID 2676 wrote to memory of 2560 2676 Jbfpcl32.exe 35 PID 2676 wrote to memory of 2560 2676 Jbfpcl32.exe 35 PID 2676 wrote to memory of 2560 2676 Jbfpcl32.exe 35 PID 2560 wrote to memory of 2196 2560 Jpjpmqjl.exe 36 PID 2560 wrote to memory of 2196 2560 Jpjpmqjl.exe 36 PID 2560 wrote to memory of 2196 2560 Jpjpmqjl.exe 36 PID 2560 wrote to memory of 2196 2560 Jpjpmqjl.exe 36 PID 2196 wrote to memory of 2932 2196 Jegheghc.exe 37 PID 2196 wrote to memory of 2932 2196 Jegheghc.exe 37 PID 2196 wrote to memory of 2932 2196 Jegheghc.exe 37 PID 2196 wrote to memory of 2932 2196 Jegheghc.exe 37 PID 2932 wrote to memory of 956 2932 Jkfncn32.exe 38 PID 2932 wrote to memory of 956 2932 Jkfncn32.exe 38 PID 2932 wrote to memory of 956 2932 Jkfncn32.exe 38 PID 2932 wrote to memory of 956 2932 Jkfncn32.exe 38 PID 956 wrote to memory of 1772 956 Kpecad32.exe 39 PID 956 wrote to memory of 1772 956 Kpecad32.exe 39 PID 956 wrote to memory of 1772 956 Kpecad32.exe 39 PID 956 wrote to memory of 1772 956 Kpecad32.exe 39 PID 1772 wrote to memory of 564 1772 Kckeno32.exe 40 PID 1772 wrote to memory of 564 1772 Kckeno32.exe 40 PID 1772 wrote to memory of 564 1772 Kckeno32.exe 40 PID 1772 wrote to memory of 564 1772 Kckeno32.exe 40 PID 564 wrote to memory of 2848 564 Kcmbco32.exe 41 PID 564 wrote to memory of 2848 564 Kcmbco32.exe 41 PID 564 wrote to memory of 2848 564 Kcmbco32.exe 41 PID 564 wrote to memory of 2848 564 Kcmbco32.exe 41 PID 2848 wrote to memory of 1864 2848 Lkhfhaea.exe 42 PID 2848 wrote to memory of 1864 2848 Lkhfhaea.exe 42 PID 2848 wrote to memory of 1864 2848 Lkhfhaea.exe 42 PID 2848 wrote to memory of 1864 2848 Lkhfhaea.exe 42 PID 1864 wrote to memory of 2984 1864 Ldqkqf32.exe 43 PID 1864 wrote to memory of 2984 1864 Ldqkqf32.exe 43 PID 1864 wrote to memory of 2984 1864 Ldqkqf32.exe 43 PID 1864 wrote to memory of 2984 1864 Ldqkqf32.exe 43 PID 2984 wrote to memory of 2188 2984 Lhodgebh.exe 44 PID 2984 wrote to memory of 2188 2984 Lhodgebh.exe 44 PID 2984 wrote to memory of 2188 2984 Lhodgebh.exe 44 PID 2984 wrote to memory of 2188 2984 Lhodgebh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe"C:\Users\Admin\AppData\Local\Temp\3eb2157e52c55d62f924ba853f67a4d712d81b168b70c8b7cc29febc91fe484bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Idhplaoe.exeC:\Windows\system32\Idhplaoe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Impdeg32.exeC:\Windows\system32\Impdeg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ihehbpel.exeC:\Windows\system32\Ihehbpel.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Iapjad32.exeC:\Windows\system32\Iapjad32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ipefba32.exeC:\Windows\system32\Ipefba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jbfpcl32.exeC:\Windows\system32\Jbfpcl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jpjpmqjl.exeC:\Windows\system32\Jpjpmqjl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Jegheghc.exeC:\Windows\system32\Jegheghc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Jkfncn32.exeC:\Windows\system32\Jkfncn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Kpecad32.exeC:\Windows\system32\Kpecad32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Kckeno32.exeC:\Windows\system32\Kckeno32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Kcmbco32.exeC:\Windows\system32\Kcmbco32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Lkhfhaea.exeC:\Windows\system32\Lkhfhaea.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ldqkqf32.exeC:\Windows\system32\Ldqkqf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Lhodgebh.exeC:\Windows\system32\Lhodgebh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Lgcqhagp.exeC:\Windows\system32\Lgcqhagp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Lgfmmaem.exeC:\Windows\system32\Lgfmmaem.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Lqnbffkn.exeC:\Windows\system32\Lqnbffkn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Mjgfol32.exeC:\Windows\system32\Mjgfol32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mocogc32.exeC:\Windows\system32\Mocogc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Minpeh32.exeC:\Windows\system32\Minpeh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Mpkehbjm.exeC:\Windows\system32\Mpkehbjm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Nnpbinoe.exeC:\Windows\system32\Nnpbinoe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Nejjfh32.exeC:\Windows\system32\Nejjfh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Nbnkomel.exeC:\Windows\system32\Nbnkomel.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Nlfohb32.exeC:\Windows\system32\Nlfohb32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Nfbmnpfh.exeC:\Windows\system32\Nfbmnpfh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Niqijkel.exeC:\Windows\system32\Niqijkel.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Npjage32.exeC:\Windows\system32\Npjage32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Oabdol32.exeC:\Windows\system32\Oabdol32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe33⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ohoiaf32.exeC:\Windows\system32\Ohoiaf32.exe34⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ooianpif.exeC:\Windows\system32\Ooianpif.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pieodn32.exeC:\Windows\system32\Pieodn32.exe36⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe37⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe38⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe39⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Qhoeqide.exeC:\Windows\system32\Qhoeqide.exe40⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe41⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe42⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe43⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Aqapek32.exeC:\Windows\system32\Aqapek32.exe44⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ajladp32.exeC:\Windows\system32\Ajladp32.exe45⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Agpamd32.exeC:\Windows\system32\Agpamd32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Bqhffj32.exeC:\Windows\system32\Bqhffj32.exe47⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Bfeonq32.exeC:\Windows\system32\Bfeonq32.exe48⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Bomcgfjh.exeC:\Windows\system32\Bomcgfjh.exe49⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Bfgkdp32.exeC:\Windows\system32\Bfgkdp32.exe50⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Biegpl32.exeC:\Windows\system32\Biegpl32.exe51⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bbnlia32.exeC:\Windows\system32\Bbnlia32.exe52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Bihdfkoe.exeC:\Windows\system32\Bihdfkoe.exe53⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Bnemnbmm.exeC:\Windows\system32\Bnemnbmm.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Bgmagh32.exeC:\Windows\system32\Bgmagh32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Bbbedqcc.exeC:\Windows\system32\Bbbedqcc.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Beaaplbg.exeC:\Windows\system32\Beaaplbg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe58⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Cbebjpaa.exeC:\Windows\system32\Cbebjpaa.exe59⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ckmfbf32.exeC:\Windows\system32\Ckmfbf32.exe60⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe61⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Cjbccb32.exeC:\Windows\system32\Cjbccb32.exe62⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe63⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Cbpendha.exeC:\Windows\system32\Cbpendha.exe64⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Clhifj32.exeC:\Windows\system32\Clhifj32.exe65⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Dbbacdfo.exeC:\Windows\system32\Dbbacdfo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe67⤵PID:856
-
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe68⤵PID:1988
-
C:\Windows\SysWOW64\Deckeo32.exeC:\Windows\system32\Deckeo32.exe69⤵PID:2716
-
C:\Windows\SysWOW64\Dpiobh32.exeC:\Windows\system32\Dpiobh32.exe70⤵PID:1608
-
C:\Windows\SysWOW64\Diackmif.exeC:\Windows\system32\Diackmif.exe71⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Dlppgihj.exeC:\Windows\system32\Dlppgihj.exe72⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Ddkdkk32.exeC:\Windows\system32\Ddkdkk32.exe73⤵PID:1792
-
C:\Windows\SysWOW64\Dkelhemb.exeC:\Windows\system32\Dkelhemb.exe74⤵PID:2548
-
C:\Windows\SysWOW64\Dejqenmh.exeC:\Windows\system32\Dejqenmh.exe75⤵PID:2592
-
C:\Windows\SysWOW64\Ekgineko.exeC:\Windows\system32\Ekgineko.exe76⤵PID:900
-
C:\Windows\SysWOW64\Edpnfjap.exeC:\Windows\system32\Edpnfjap.exe77⤵PID:2828
-
C:\Windows\SysWOW64\Eklbid32.exeC:\Windows\system32\Eklbid32.exe78⤵PID:2020
-
C:\Windows\SysWOW64\Eddgaj32.exeC:\Windows\system32\Eddgaj32.exe79⤵PID:1504
-
C:\Windows\SysWOW64\Egbcne32.exeC:\Windows\system32\Egbcne32.exe80⤵PID:1760
-
C:\Windows\SysWOW64\Epkhfkco.exeC:\Windows\system32\Epkhfkco.exe81⤵PID:1172
-
C:\Windows\SysWOW64\Eehpoaaf.exeC:\Windows\system32\Eehpoaaf.exe82⤵PID:1548
-
C:\Windows\SysWOW64\Epmdljal.exeC:\Windows\system32\Epmdljal.exe83⤵PID:1748
-
C:\Windows\SysWOW64\Eaoadb32.exeC:\Windows\system32\Eaoadb32.exe84⤵PID:1084
-
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe85⤵PID:952
-
C:\Windows\SysWOW64\Feljja32.exeC:\Windows\system32\Feljja32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:376 -
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe87⤵PID:2064
-
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe88⤵PID:2684
-
C:\Windows\SysWOW64\Fklohgie.exeC:\Windows\system32\Fklohgie.exe89⤵PID:1028
-
C:\Windows\SysWOW64\Faegda32.exeC:\Windows\system32\Faegda32.exe90⤵PID:2704
-
C:\Windows\SysWOW64\Fknlmggc.exeC:\Windows\system32\Fknlmggc.exe91⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe92⤵PID:3056
-
C:\Windows\SysWOW64\Glaejokn.exeC:\Windows\system32\Glaejokn.exe93⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Gckmgi32.exeC:\Windows\system32\Gckmgi32.exe94⤵PID:2784
-
C:\Windows\SysWOW64\Gfjicd32.exeC:\Windows\system32\Gfjicd32.exe95⤵PID:2976
-
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe96⤵PID:2872
-
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Gjhbic32.exeC:\Windows\system32\Gjhbic32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Gcpfbhof.exeC:\Windows\system32\Gcpfbhof.exe99⤵PID:2260
-
C:\Windows\SysWOW64\Ghmokomm.exeC:\Windows\system32\Ghmokomm.exe100⤵PID:1532
-
C:\Windows\SysWOW64\Gbecce32.exeC:\Windows\system32\Gbecce32.exe101⤵PID:1636
-
C:\Windows\SysWOW64\Giolpo32.exeC:\Windows\system32\Giolpo32.exe102⤵PID:2792
-
C:\Windows\SysWOW64\Gbhpidak.exeC:\Windows\system32\Gbhpidak.exe103⤵PID:2112
-
C:\Windows\SysWOW64\Hiahfo32.exeC:\Windows\system32\Hiahfo32.exe104⤵PID:3052
-
C:\Windows\SysWOW64\Hkpdbj32.exeC:\Windows\system32\Hkpdbj32.exe105⤵PID:2920
-
C:\Windows\SysWOW64\Hehikpol.exeC:\Windows\system32\Hehikpol.exe106⤵PID:1384
-
C:\Windows\SysWOW64\Hkbagjfi.exeC:\Windows\system32\Hkbagjfi.exe107⤵PID:2892
-
C:\Windows\SysWOW64\Hblidd32.exeC:\Windows\system32\Hblidd32.exe108⤵PID:1912
-
C:\Windows\SysWOW64\Hgiblk32.exeC:\Windows\system32\Hgiblk32.exe109⤵PID:2448
-
C:\Windows\SysWOW64\Hjgnhf32.exeC:\Windows\system32\Hjgnhf32.exe110⤵PID:828
-
C:\Windows\SysWOW64\Hfnomgqe.exeC:\Windows\system32\Hfnomgqe.exe111⤵PID:1140
-
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe112⤵PID:236
-
C:\Windows\SysWOW64\Hfqlcg32.exeC:\Windows\system32\Hfqlcg32.exe113⤵PID:1104
-
C:\Windows\SysWOW64\Hmkdpafo.exeC:\Windows\system32\Hmkdpafo.exe114⤵PID:1716
-
C:\Windows\SysWOW64\Ifhacfhj.exeC:\Windows\system32\Ifhacfhj.exe115⤵PID:2868
-
C:\Windows\SysWOW64\Incfhh32.exeC:\Windows\system32\Incfhh32.exe116⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Iihkea32.exeC:\Windows\system32\Iihkea32.exe117⤵PID:1380
-
C:\Windows\SysWOW64\Jbclcf32.exeC:\Windows\system32\Jbclcf32.exe118⤵PID:1440
-
C:\Windows\SysWOW64\Jllpmlqj.exeC:\Windows\system32\Jllpmlqj.exe119⤵PID:2840
-
C:\Windows\SysWOW64\Jmmmdd32.exeC:\Windows\system32\Jmmmdd32.exe120⤵PID:2896
-
C:\Windows\SysWOW64\Jhbaam32.exeC:\Windows\system32\Jhbaam32.exe121⤵PID:1320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-