Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 09:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe
-
Size
470KB
-
MD5
e95717d0a504b4aec1e0c4aabb6433a0
-
SHA1
1bd3216feb8705a310955be7fb51dd88cefabc1d
-
SHA256
a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7
-
SHA512
ae63d9070a4dbca4591b8d32f5984227d01b8c1c73525680571954ecf486d6df59a132e4c4badb768155c43e7d62d9d593704662a0ef5e08bc94e126c3e66eb6
-
SSDEEP
12288:lT2N/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8QVj7:lTW4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbgnpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfckko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmphfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpecad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkcmqcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjofgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiocdand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haqbcoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpecddpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liaggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cidklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Depelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Napibq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibqhibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aahdmanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahpfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgghidfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbqnobge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphdaeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oadnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eomfiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekacnjfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beibln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cefbfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqijkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnemnbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmccnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opoocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgnie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doclijgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoeiniea.exe -
Executes dropped EXE 64 IoCs
pid Process 692 Hkgjge32.exe 1728 Haqbcoce.exe 2100 Hhkjpi32.exe 2576 Hngbhp32.exe 2600 Hpfoekhm.exe 2064 Ikfffh32.exe 2132 Ilfbpk32.exe 2592 Iodolf32.exe 2180 Iqhhin32.exe 2260 Jmaedolh.exe 2420 Jqmadn32.exe 1912 Jcmjfiab.exe 1300 Jcpglhpo.exe 2156 Kiolio32.exe 1944 Kgffpk32.exe 2076 Knqnmeff.exe 908 Kemcookp.exe 696 Lpfdpmho.exe 632 Lhnlqjha.exe 936 Lbijgg32.exe 1020 Lehfcc32.exe 1656 Lfgbmf32.exe 1168 Mihkoa32.exe 1344 Mlfgkleh.exe 1556 Mbqpgf32.exe 2492 Mmjqhd32.exe 2236 Mddidnqa.exe 620 Mhbakmgg.exe 2856 Mclbkjcf.exe 2368 Mmaghc32.exe 2996 Ndkoemji.exe 2476 Nmccnc32.exe 2356 Ncplfj32.exe 2432 Naeigf32.exe 2308 Nlkmeo32.exe 536 Nhbnjpic.exe 2344 Ndhooaog.exe 2680 Oamohenq.exe 1792 Opoocb32.exe 2176 Odkkdqmd.exe 992 Ohfgeo32.exe 2092 Okecak32.exe 1900 Okgpfjbo.exe 3040 Olhmnb32.exe 2044 Oqdioaqf.exe 2264 Ofaaghom.exe 2116 Onhihepp.exe 1576 Ooiepnen.exe 1784 Ofcnmh32.exe 2292 Ommfibdg.exe 2988 Polbemck.exe 900 Pbjoaibo.exe 2604 Pjafbfca.exe 2388 Pmpcoabe.exe 2556 Ponokmah.exe 1592 Pblkgh32.exe 2708 Pfjdmggb.exe 2700 Piipibff.exe 2636 Pkglenej.exe 1100 Pikmob32.exe 1040 Pkiikm32.exe 2812 Pafacd32.exe 1748 Pcdnpp32.exe 576 Pgpjpnhk.exe -
Loads dropped DLL 64 IoCs
pid Process 1048 a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe 1048 a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe 692 Hkgjge32.exe 692 Hkgjge32.exe 1728 Haqbcoce.exe 1728 Haqbcoce.exe 2100 Hhkjpi32.exe 2100 Hhkjpi32.exe 2576 Hngbhp32.exe 2576 Hngbhp32.exe 2600 Hpfoekhm.exe 2600 Hpfoekhm.exe 2064 Ikfffh32.exe 2064 Ikfffh32.exe 2132 Ilfbpk32.exe 2132 Ilfbpk32.exe 2592 Iodolf32.exe 2592 Iodolf32.exe 2180 Iqhhin32.exe 2180 Iqhhin32.exe 2260 Jmaedolh.exe 2260 Jmaedolh.exe 2420 Jqmadn32.exe 2420 Jqmadn32.exe 1912 Jcmjfiab.exe 1912 Jcmjfiab.exe 1300 Jcpglhpo.exe 1300 Jcpglhpo.exe 2156 Kiolio32.exe 2156 Kiolio32.exe 1944 Kgffpk32.exe 1944 Kgffpk32.exe 2076 Knqnmeff.exe 2076 Knqnmeff.exe 908 Kemcookp.exe 908 Kemcookp.exe 696 Lpfdpmho.exe 696 Lpfdpmho.exe 632 Lhnlqjha.exe 632 Lhnlqjha.exe 936 Lbijgg32.exe 936 Lbijgg32.exe 1020 Lehfcc32.exe 1020 Lehfcc32.exe 1656 Lfgbmf32.exe 1656 Lfgbmf32.exe 1168 Mihkoa32.exe 1168 Mihkoa32.exe 1344 Mlfgkleh.exe 1344 Mlfgkleh.exe 1556 Mbqpgf32.exe 1556 Mbqpgf32.exe 2492 Mmjqhd32.exe 2492 Mmjqhd32.exe 2236 Mddidnqa.exe 2236 Mddidnqa.exe 620 Mhbakmgg.exe 620 Mhbakmgg.exe 2856 Mclbkjcf.exe 2856 Mclbkjcf.exe 2368 Mmaghc32.exe 2368 Mmaghc32.exe 2996 Ndkoemji.exe 2996 Ndkoemji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cbfidfem.exe Badlln32.exe File opened for modification C:\Windows\SysWOW64\Jdibfn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qofjmnji.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Hmlfcjfd.dll Pjlbld32.exe File created C:\Windows\SysWOW64\Lnejqmie.exe Lgladc32.exe File created C:\Windows\SysWOW64\Bdpaan32.dll Cbmoeeod.exe File created C:\Windows\SysWOW64\Kmecamae.dll Bpomdmqa.exe File created C:\Windows\SysWOW64\Eklbid32.exe Ecdkgg32.exe File opened for modification C:\Windows\SysWOW64\Ngpokkgb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jopogefh.exe Process not Found File created C:\Windows\SysWOW64\Chmgna32.dll Ommfibdg.exe File created C:\Windows\SysWOW64\Klhniing.dll Cgnbepjp.exe File opened for modification C:\Windows\SysWOW64\Nnpbinoe.exe Npmana32.exe File created C:\Windows\SysWOW64\Gjpama32.exe Process not Found File created C:\Windows\SysWOW64\Eaeefnlk.dll Jggljqcb.exe File created C:\Windows\SysWOW64\Ciggap32.exe Cbmoeeod.exe File created C:\Windows\SysWOW64\Nbnpaflj.dll Process not Found File created C:\Windows\SysWOW64\Cefpmiji.exe Cbhcankf.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dghekobe.exe File created C:\Windows\SysWOW64\Dmlffcog.dll Bpmqom32.exe File opened for modification C:\Windows\SysWOW64\Gmflmfpe.exe Gflcplhh.exe File created C:\Windows\SysWOW64\Cphmegmd.dll Coejfn32.exe File created C:\Windows\SysWOW64\Fapdgk32.dll Lfmhla32.exe File created C:\Windows\SysWOW64\Lcpkhk32.dll Process not Found File created C:\Windows\SysWOW64\Jobompob.dll Iklajp32.exe File opened for modification C:\Windows\SysWOW64\Lcgldc32.exe Lokpcekn.exe File opened for modification C:\Windows\SysWOW64\Acqpdgni.exe Akjhcimg.exe File created C:\Windows\SysWOW64\Eeecibci.exe Ecggmfde.exe File created C:\Windows\SysWOW64\Lbijgg32.exe Lhnlqjha.exe File created C:\Windows\SysWOW64\Clphjc32.exe Cefpmiji.exe File created C:\Windows\SysWOW64\Ndolpa32.dll Ofbgbaio.exe File created C:\Windows\SysWOW64\Klgeabga.dll Dlomnp32.exe File created C:\Windows\SysWOW64\Gdklje32.exe Process not Found File created C:\Windows\SysWOW64\Aigkfhbp.dll Oadnlc32.exe File created C:\Windows\SysWOW64\Bjcnoe32.exe Bgebcj32.exe File created C:\Windows\SysWOW64\Egqjgpom.dll Bpepbkhk.exe File opened for modification C:\Windows\SysWOW64\Peclcc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hjgnhf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dbaflm32.exe Dcofqphi.exe File opened for modification C:\Windows\SysWOW64\Idjjih32.exe Iegjnkod.exe File opened for modification C:\Windows\SysWOW64\Qokhjjbk.exe Qkolil32.exe File created C:\Windows\SysWOW64\Pihfin32.dll Ijnbpm32.exe File created C:\Windows\SysWOW64\Idabbpgj.exe Imgjfe32.exe File created C:\Windows\SysWOW64\Ebfhilpd.dll Process not Found File created C:\Windows\SysWOW64\Blfodb32.exe Process not Found File created C:\Windows\SysWOW64\Djddbkck.exe Dfhial32.exe File created C:\Windows\SysWOW64\Nbflhcbd.dll Mhjdpgic.exe File opened for modification C:\Windows\SysWOW64\Nlfmoidh.exe Neldbo32.exe File created C:\Windows\SysWOW64\Bknani32.exe Aediaoae.exe File created C:\Windows\SysWOW64\Pmghilqf.dll Jpgaohej.exe File created C:\Windows\SysWOW64\Bbegkn32.exe Bmhncg32.exe File created C:\Windows\SysWOW64\Fibqhibd.exe Fefdhj32.exe File opened for modification C:\Windows\SysWOW64\Gqajfmpb.exe Process not Found File created C:\Windows\SysWOW64\Pmaiiooh.dll Process not Found File created C:\Windows\SysWOW64\Dajjck32.dll Caomgjnk.exe File created C:\Windows\SysWOW64\Ghjjoeei.exe Gekncjfe.exe File created C:\Windows\SysWOW64\Bjnqkj32.dll Ngdgkf32.exe File created C:\Windows\SysWOW64\Anigaeoh.exe Afbpph32.exe File created C:\Windows\SysWOW64\Igmppcpm.exe Ipbgci32.exe File created C:\Windows\SysWOW64\Eakkkdnm.exe Enpoje32.exe File opened for modification C:\Windows\SysWOW64\Hhgdig32.exe Process not Found File created C:\Windows\SysWOW64\Kpliac32.exe Knnmeh32.exe File created C:\Windows\SysWOW64\Iblack32.dll Amjmpk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8052 8100 Process not Found 1683 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdigocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalhop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnknfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmldhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpojcpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmclold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafeaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikmkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhcankf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceclmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkflii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejcnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klnpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhdkhoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhbop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpafhpaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhibenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmiqlpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmecbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjehflbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglhcihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jompim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnlobhne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkphnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnpek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbodk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfajgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmijmn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfclji32.dll" Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hieegjdf.dll" Pgmfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbckeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifane32.dll" Pgcmoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Badlln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deghbk32.dll" Eklgjbca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcllii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goklkh32.dll" Gmflmfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihojdb32.dll" Coofoghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphdha32.dll" Lkomhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnemnbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclckhlb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgnci32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioonfaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoafi32.dll" Qiclcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djanahia.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Linanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipfoh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjphff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljgohme.dll" Afmokbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godmfj32.dll" Dolondiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ponokmah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bndjei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fefnmdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcieb32.dll" Nppemgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epdafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoojcjh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpbnmhk.dll" Kfcoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccikghel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpfpkog.dll" Cpolli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdhboaf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnnlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnpkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbjoaibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coacdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldchff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maplcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmlj32.dll" Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejeka32.dll" Lbbodk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkkcmqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcehpbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jiphpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 692 1048 a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe 29 PID 1048 wrote to memory of 692 1048 a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe 29 PID 1048 wrote to memory of 692 1048 a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe 29 PID 1048 wrote to memory of 692 1048 a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe 29 PID 692 wrote to memory of 1728 692 Hkgjge32.exe 30 PID 692 wrote to memory of 1728 692 Hkgjge32.exe 30 PID 692 wrote to memory of 1728 692 Hkgjge32.exe 30 PID 692 wrote to memory of 1728 692 Hkgjge32.exe 30 PID 1728 wrote to memory of 2100 1728 Haqbcoce.exe 31 PID 1728 wrote to memory of 2100 1728 Haqbcoce.exe 31 PID 1728 wrote to memory of 2100 1728 Haqbcoce.exe 31 PID 1728 wrote to memory of 2100 1728 Haqbcoce.exe 31 PID 2100 wrote to memory of 2576 2100 Hhkjpi32.exe 32 PID 2100 wrote to memory of 2576 2100 Hhkjpi32.exe 32 PID 2100 wrote to memory of 2576 2100 Hhkjpi32.exe 32 PID 2100 wrote to memory of 2576 2100 Hhkjpi32.exe 32 PID 2576 wrote to memory of 2600 2576 Hngbhp32.exe 33 PID 2576 wrote to memory of 2600 2576 Hngbhp32.exe 33 PID 2576 wrote to memory of 2600 2576 Hngbhp32.exe 33 PID 2576 wrote to memory of 2600 2576 Hngbhp32.exe 33 PID 2600 wrote to memory of 2064 2600 Hpfoekhm.exe 34 PID 2600 wrote to memory of 2064 2600 Hpfoekhm.exe 34 PID 2600 wrote to memory of 2064 2600 Hpfoekhm.exe 34 PID 2600 wrote to memory of 2064 2600 Hpfoekhm.exe 34 PID 2064 wrote to memory of 2132 2064 Ikfffh32.exe 35 PID 2064 wrote to memory of 2132 2064 Ikfffh32.exe 35 PID 2064 wrote to memory of 2132 2064 Ikfffh32.exe 35 PID 2064 wrote to memory of 2132 2064 Ikfffh32.exe 35 PID 2132 wrote to memory of 2592 2132 Ilfbpk32.exe 36 PID 2132 wrote to memory of 2592 2132 Ilfbpk32.exe 36 PID 2132 wrote to memory of 2592 2132 Ilfbpk32.exe 36 PID 2132 wrote to memory of 2592 2132 Ilfbpk32.exe 36 PID 2592 wrote to memory of 2180 2592 Iodolf32.exe 37 PID 2592 wrote to memory of 2180 2592 Iodolf32.exe 37 PID 2592 wrote to memory of 2180 2592 Iodolf32.exe 37 PID 2592 wrote to memory of 2180 2592 Iodolf32.exe 37 PID 2180 wrote to memory of 2260 2180 Iqhhin32.exe 38 PID 2180 wrote to memory of 2260 2180 Iqhhin32.exe 38 PID 2180 wrote to memory of 2260 2180 Iqhhin32.exe 38 PID 2180 wrote to memory of 2260 2180 Iqhhin32.exe 38 PID 2260 wrote to memory of 2420 2260 Jmaedolh.exe 39 PID 2260 wrote to memory of 2420 2260 Jmaedolh.exe 39 PID 2260 wrote to memory of 2420 2260 Jmaedolh.exe 39 PID 2260 wrote to memory of 2420 2260 Jmaedolh.exe 39 PID 2420 wrote to memory of 1912 2420 Jqmadn32.exe 40 PID 2420 wrote to memory of 1912 2420 Jqmadn32.exe 40 PID 2420 wrote to memory of 1912 2420 Jqmadn32.exe 40 PID 2420 wrote to memory of 1912 2420 Jqmadn32.exe 40 PID 1912 wrote to memory of 1300 1912 Jcmjfiab.exe 41 PID 1912 wrote to memory of 1300 1912 Jcmjfiab.exe 41 PID 1912 wrote to memory of 1300 1912 Jcmjfiab.exe 41 PID 1912 wrote to memory of 1300 1912 Jcmjfiab.exe 41 PID 1300 wrote to memory of 2156 1300 Jcpglhpo.exe 42 PID 1300 wrote to memory of 2156 1300 Jcpglhpo.exe 42 PID 1300 wrote to memory of 2156 1300 Jcpglhpo.exe 42 PID 1300 wrote to memory of 2156 1300 Jcpglhpo.exe 42 PID 2156 wrote to memory of 1944 2156 Kiolio32.exe 43 PID 2156 wrote to memory of 1944 2156 Kiolio32.exe 43 PID 2156 wrote to memory of 1944 2156 Kiolio32.exe 43 PID 2156 wrote to memory of 1944 2156 Kiolio32.exe 43 PID 1944 wrote to memory of 2076 1944 Kgffpk32.exe 44 PID 1944 wrote to memory of 2076 1944 Kgffpk32.exe 44 PID 1944 wrote to memory of 2076 1944 Kgffpk32.exe 44 PID 1944 wrote to memory of 2076 1944 Kgffpk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe"C:\Users\Admin\AppData\Local\Temp\a3e5e6c09245c75caf6b9218bbb822a53574b6f1903a8f30dfd69b6d369f25d7N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Hkgjge32.exeC:\Windows\system32\Hkgjge32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Kgffpk32.exeC:\Windows\system32\Kgffpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Lehfcc32.exeC:\Windows\system32\Lehfcc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe34⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe35⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe36⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe37⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe38⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe39⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe41⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe42⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe43⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe44⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe45⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe47⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe48⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe49⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe50⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe52⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe54⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe55⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe57⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe58⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe59⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe60⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe61⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe62⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe64⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe65⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe66⤵PID:1948
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe67⤵PID:912
-
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe68⤵PID:2192
-
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe69⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe70⤵PID:2112
-
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe71⤵PID:2096
-
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe72⤵PID:1744
-
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe73⤵PID:888
-
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe74⤵PID:2228
-
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe75⤵PID:2824
-
C:\Windows\SysWOW64\Abodlk32.exeC:\Windows\system32\Abodlk32.exe76⤵PID:1596
-
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe77⤵PID:2240
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe78⤵PID:3048
-
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe79⤵PID:976
-
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe80⤵PID:3004
-
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe81⤵PID:2408
-
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe82⤵PID:348
-
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe83⤵PID:2960
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe84⤵PID:684
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe86⤵PID:2688
-
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe87⤵PID:2904
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe88⤵PID:1052
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe89⤵PID:2136
-
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe90⤵PID:1424
-
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe91⤵PID:3044
-
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe92⤵PID:1708
-
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe93⤵PID:1804
-
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe94⤵PID:1624
-
C:\Windows\SysWOW64\Behpcefk.exeC:\Windows\system32\Behpcefk.exe95⤵PID:1704
-
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe96⤵PID:2936
-
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe97⤵PID:1580
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe98⤵PID:2572
-
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe99⤵PID:852
-
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe100⤵PID:1808
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe101⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe102⤵PID:2500
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe103⤵PID:1324
-
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe104⤵PID:2932
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe105⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe106⤵PID:2652
-
C:\Windows\SysWOW64\Bgablmfa.exeC:\Windows\system32\Bgablmfa.exe107⤵PID:2304
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe108⤵PID:2648
-
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe109⤵PID:2084
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe111⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe112⤵PID:1348
-
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe113⤵PID:2164
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe114⤵PID:2020
-
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe115⤵PID:1852
-
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe116⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe117⤵PID:756
-
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe118⤵PID:2524
-
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe119⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe120⤵PID:2900
-
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe121⤵PID:952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-