Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 22:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe
-
Size
64KB
-
MD5
fe117bfff1b66630ec5bc4fc30796e30
-
SHA1
b3459f957f675f0ae65125bd7238709392727603
-
SHA256
6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfad
-
SHA512
2621c2dbd96292f0be4986b9649ae4181de1b4b58c080d50303e67ddf132f30fb2cd172c45582b924f07715744cc767e96271a054e63a611a0ff326c97a93d95
-
SSDEEP
1536:Id8XFyUnvvPeh9Akhw/opSh4jgUXruCHcpzt/Idn:Id8XcgW6QchfpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbdabog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpabpcdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaimipjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhejhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legaoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhqmadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipomlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paknelgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabaocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaenlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjoco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfioia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfpgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieomef32.exe -
Executes dropped EXE 64 IoCs
pid Process 2212 Cmhglq32.exe 2564 Ccbphk32.exe 2288 Ciohqa32.exe 2772 Clmdmm32.exe 2636 Ccdmnj32.exe 2944 Cmmagpef.exe 2624 Cpkmcldj.exe 1484 Chfbgn32.exe 1804 Cpmjhk32.exe 2936 Dhiomn32.exe 2968 Djgkii32.exe 3044 Ddpobo32.exe 2208 Dlfgcl32.exe 1816 Ddblgn32.exe 408 Dfphcj32.exe 1576 Dmjqpdje.exe 2368 Dddimn32.exe 688 Diaaeepi.exe 2488 Dahifbpk.exe 1860 Ddfebnoo.exe 1768 Dicnkdnf.exe 2124 Elajgpmj.exe 2164 Edibhmml.exe 2224 Eggndi32.exe 1520 Eiekpd32.exe 2732 Emagacdm.exe 2864 Egikjh32.exe 2928 Elfcbo32.exe 2808 Eoepnk32.exe 2632 Eacljf32.exe 2828 Eeohkeoe.exe 2972 Eijdkcgn.exe 2932 Elipgofb.exe 2168 Eklqcl32.exe 1672 Ecbhdi32.exe 3052 Eaeipfei.exe 2160 Eddeladm.exe 1616 Ehpalp32.exe 1256 Elkmmodo.exe 2104 Eoiiijcc.exe 2612 Eaheeecg.exe 1820 Edfbaabj.exe 1236 Fhbnbpjc.exe 928 Fgdnnl32.exe 2296 Fkpjnkig.exe 1412 Fajbke32.exe 1296 Fpmbfbgo.exe 2012 Fhdjgoha.exe 2068 Fggkcl32.exe 1528 Fkbgckgd.exe 2280 Fjegog32.exe 2788 Fnacpffh.exe 2252 Fpoolael.exe 2848 Fpoolael.exe 2824 Fcnkhmdp.exe 536 Fjhcegll.exe 2188 Flfpabkp.exe 2988 Fqalaa32.exe 2904 Fdmhbplb.exe 2728 Fgldnkkf.exe 1268 Fjjpjgjj.exe 2052 Flhmfbim.exe 2056 Fqdiga32.exe 1068 Fcbecl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2404 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe 2404 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe 2212 Cmhglq32.exe 2212 Cmhglq32.exe 2564 Ccbphk32.exe 2564 Ccbphk32.exe 2288 Ciohqa32.exe 2288 Ciohqa32.exe 2772 Clmdmm32.exe 2772 Clmdmm32.exe 2636 Ccdmnj32.exe 2636 Ccdmnj32.exe 2944 Cmmagpef.exe 2944 Cmmagpef.exe 2624 Cpkmcldj.exe 2624 Cpkmcldj.exe 1484 Chfbgn32.exe 1484 Chfbgn32.exe 1804 Cpmjhk32.exe 1804 Cpmjhk32.exe 2936 Dhiomn32.exe 2936 Dhiomn32.exe 2968 Djgkii32.exe 2968 Djgkii32.exe 3044 Ddpobo32.exe 3044 Ddpobo32.exe 2208 Dlfgcl32.exe 2208 Dlfgcl32.exe 1816 Ddblgn32.exe 1816 Ddblgn32.exe 408 Dfphcj32.exe 408 Dfphcj32.exe 1576 Dmjqpdje.exe 1576 Dmjqpdje.exe 2368 Dddimn32.exe 2368 Dddimn32.exe 688 Diaaeepi.exe 688 Diaaeepi.exe 2488 Dahifbpk.exe 2488 Dahifbpk.exe 1860 Ddfebnoo.exe 1860 Ddfebnoo.exe 1768 Dicnkdnf.exe 1768 Dicnkdnf.exe 2124 Elajgpmj.exe 2124 Elajgpmj.exe 2164 Edibhmml.exe 2164 Edibhmml.exe 2224 Eggndi32.exe 2224 Eggndi32.exe 1520 Eiekpd32.exe 1520 Eiekpd32.exe 2732 Emagacdm.exe 2732 Emagacdm.exe 2864 Egikjh32.exe 2864 Egikjh32.exe 2928 Elfcbo32.exe 2928 Elfcbo32.exe 2808 Eoepnk32.exe 2808 Eoepnk32.exe 2632 Eacljf32.exe 2632 Eacljf32.exe 2828 Eeohkeoe.exe 2828 Eeohkeoe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ikfbbjdj.exe Hgkfal32.exe File created C:\Windows\SysWOW64\Kfimpm32.dll Klmqapci.exe File opened for modification C:\Windows\SysWOW64\Gcedad32.exe Gojhafnb.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hgbfnngi.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Hehiqh32.dll Hdecea32.exe File created C:\Windows\SysWOW64\Olfknedh.dll Hnnhngjf.exe File opened for modification C:\Windows\SysWOW64\Ibipmiek.exe Ipjdameg.exe File opened for modification C:\Windows\SysWOW64\Njgpij32.exe Nflchkii.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gcjmmdbf.exe File created C:\Windows\SysWOW64\Ejebfdmb.dll Ioohokoo.exe File created C:\Windows\SysWOW64\Neknki32.exe Napbjjom.exe File created C:\Windows\SysWOW64\Agolnbok.exe Accqnc32.exe File opened for modification C:\Windows\SysWOW64\Eaphjp32.exe Emdmjamj.exe File opened for modification C:\Windows\SysWOW64\Fdnjkh32.exe Faonom32.exe File opened for modification C:\Windows\SysWOW64\Hcgmfgfd.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Jllqplnp.exe Process not Found File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File opened for modification C:\Windows\SysWOW64\Oidiekdn.exe Oeindm32.exe File created C:\Windows\SysWOW64\Eeojcmfi.exe Efljhq32.exe File created C:\Windows\SysWOW64\Qfekkflj.dll Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Emgioakg.exe Eodicd32.exe File created C:\Windows\SysWOW64\Ccqhkcib.dll Goiongbc.exe File created C:\Windows\SysWOW64\Gjdldd32.exe Ggfpgi32.exe File created C:\Windows\SysWOW64\Pecikhmn.dll Njpihk32.exe File created C:\Windows\SysWOW64\Hfglml32.dll Bdkhjgeh.exe File created C:\Windows\SysWOW64\Dppigchi.exe Dkdmfe32.exe File created C:\Windows\SysWOW64\Fdcfhj32.dll Ecbhdi32.exe File created C:\Windows\SysWOW64\Eddeladm.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Dbabho32.exe Djjjga32.exe File created C:\Windows\SysWOW64\Eojlbb32.exe Elkofg32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Olmela32.exe Ohbikbkb.exe File created C:\Windows\SysWOW64\Mommgm32.dll Dlifadkk.exe File created C:\Windows\SysWOW64\Iaimipjl.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Pqgono32.dll Dfphcj32.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Mfgnnhkc.exe Mciabmlo.exe File created C:\Windows\SysWOW64\Deondj32.exe Dadbdkld.exe File created C:\Windows\SysWOW64\Gjjmijme.exe Ggkqmoma.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bigkel32.exe File created C:\Windows\SysWOW64\Odchbe32.exe Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Pifbjn32.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Nehhoand.dll Olpbaa32.exe File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe Eeojcmfi.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Nidmfh32.exe Nameek32.exe File created C:\Windows\SysWOW64\Mnglnj32.exe Mkipao32.exe File created C:\Windows\SysWOW64\Fijbco32.exe Fglfgd32.exe File created C:\Windows\SysWOW64\Klcgpkhh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nplimbka.exe Ngealejo.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pleofj32.exe File created C:\Windows\SysWOW64\Fpjofl32.exe Flocfmnl.exe File created C:\Windows\SysWOW64\Glehgdkn.dll Ijibng32.exe File created C:\Windows\SysWOW64\Iidobe32.dll Pdbdqh32.exe File created C:\Windows\SysWOW64\Ldjbkb32.exe Legaoehg.exe File created C:\Windows\SysWOW64\Gojhafnb.exe Glklejoo.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Iacpmi32.dll Obokcqhk.exe File opened for modification C:\Windows\SysWOW64\Legaoehg.exe Laleof32.exe File created C:\Windows\SysWOW64\Phbeeddm.dll Hlgimqhf.exe File opened for modification C:\Windows\SysWOW64\Kcecbq32.exe Kdbbgdjj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10352 10328 Process not Found 1102 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahanie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaeipfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjlhcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhifooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbcidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnapnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkhndca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foahmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepiko32.dll" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlklph32.dll" Ppkjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnijmcj.dll" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgidcjn.dll" Omhhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afffenbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjqf32.dll" Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbccb32.dll" Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpgka32.dll" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehiqh32.dll" Hdecea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakooqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hnnhngjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgqlafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahojmggk.dll" Gdhdkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdqnkoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icjgpj32.dll" Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddnjc32.dll" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikjpiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckhhgcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhmhm32.dll" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclcfm32.dll" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqehjecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppofado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbeeddm.dll" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goembl32.dll" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjobffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lanbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lanbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchdgl32.dll" Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anadojlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2212 2404 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe 30 PID 2404 wrote to memory of 2212 2404 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe 30 PID 2404 wrote to memory of 2212 2404 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe 30 PID 2404 wrote to memory of 2212 2404 6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe 30 PID 2212 wrote to memory of 2564 2212 Cmhglq32.exe 31 PID 2212 wrote to memory of 2564 2212 Cmhglq32.exe 31 PID 2212 wrote to memory of 2564 2212 Cmhglq32.exe 31 PID 2212 wrote to memory of 2564 2212 Cmhglq32.exe 31 PID 2564 wrote to memory of 2288 2564 Ccbphk32.exe 32 PID 2564 wrote to memory of 2288 2564 Ccbphk32.exe 32 PID 2564 wrote to memory of 2288 2564 Ccbphk32.exe 32 PID 2564 wrote to memory of 2288 2564 Ccbphk32.exe 32 PID 2288 wrote to memory of 2772 2288 Ciohqa32.exe 33 PID 2288 wrote to memory of 2772 2288 Ciohqa32.exe 33 PID 2288 wrote to memory of 2772 2288 Ciohqa32.exe 33 PID 2288 wrote to memory of 2772 2288 Ciohqa32.exe 33 PID 2772 wrote to memory of 2636 2772 Clmdmm32.exe 34 PID 2772 wrote to memory of 2636 2772 Clmdmm32.exe 34 PID 2772 wrote to memory of 2636 2772 Clmdmm32.exe 34 PID 2772 wrote to memory of 2636 2772 Clmdmm32.exe 34 PID 2636 wrote to memory of 2944 2636 Ccdmnj32.exe 35 PID 2636 wrote to memory of 2944 2636 Ccdmnj32.exe 35 PID 2636 wrote to memory of 2944 2636 Ccdmnj32.exe 35 PID 2636 wrote to memory of 2944 2636 Ccdmnj32.exe 35 PID 2944 wrote to memory of 2624 2944 Cmmagpef.exe 36 PID 2944 wrote to memory of 2624 2944 Cmmagpef.exe 36 PID 2944 wrote to memory of 2624 2944 Cmmagpef.exe 36 PID 2944 wrote to memory of 2624 2944 Cmmagpef.exe 36 PID 2624 wrote to memory of 1484 2624 Cpkmcldj.exe 37 PID 2624 wrote to memory of 1484 2624 Cpkmcldj.exe 37 PID 2624 wrote to memory of 1484 2624 Cpkmcldj.exe 37 PID 2624 wrote to memory of 1484 2624 Cpkmcldj.exe 37 PID 1484 wrote to memory of 1804 1484 Chfbgn32.exe 38 PID 1484 wrote to memory of 1804 1484 Chfbgn32.exe 38 PID 1484 wrote to memory of 1804 1484 Chfbgn32.exe 38 PID 1484 wrote to memory of 1804 1484 Chfbgn32.exe 38 PID 1804 wrote to memory of 2936 1804 Cpmjhk32.exe 39 PID 1804 wrote to memory of 2936 1804 Cpmjhk32.exe 39 PID 1804 wrote to memory of 2936 1804 Cpmjhk32.exe 39 PID 1804 wrote to memory of 2936 1804 Cpmjhk32.exe 39 PID 2936 wrote to memory of 2968 2936 Dhiomn32.exe 40 PID 2936 wrote to memory of 2968 2936 Dhiomn32.exe 40 PID 2936 wrote to memory of 2968 2936 Dhiomn32.exe 40 PID 2936 wrote to memory of 2968 2936 Dhiomn32.exe 40 PID 2968 wrote to memory of 3044 2968 Djgkii32.exe 41 PID 2968 wrote to memory of 3044 2968 Djgkii32.exe 41 PID 2968 wrote to memory of 3044 2968 Djgkii32.exe 41 PID 2968 wrote to memory of 3044 2968 Djgkii32.exe 41 PID 3044 wrote to memory of 2208 3044 Ddpobo32.exe 42 PID 3044 wrote to memory of 2208 3044 Ddpobo32.exe 42 PID 3044 wrote to memory of 2208 3044 Ddpobo32.exe 42 PID 3044 wrote to memory of 2208 3044 Ddpobo32.exe 42 PID 2208 wrote to memory of 1816 2208 Dlfgcl32.exe 43 PID 2208 wrote to memory of 1816 2208 Dlfgcl32.exe 43 PID 2208 wrote to memory of 1816 2208 Dlfgcl32.exe 43 PID 2208 wrote to memory of 1816 2208 Dlfgcl32.exe 43 PID 1816 wrote to memory of 408 1816 Ddblgn32.exe 44 PID 1816 wrote to memory of 408 1816 Ddblgn32.exe 44 PID 1816 wrote to memory of 408 1816 Ddblgn32.exe 44 PID 1816 wrote to memory of 408 1816 Ddblgn32.exe 44 PID 408 wrote to memory of 1576 408 Dfphcj32.exe 45 PID 408 wrote to memory of 1576 408 Dfphcj32.exe 45 PID 408 wrote to memory of 1576 408 Dfphcj32.exe 45 PID 408 wrote to memory of 1576 408 Dfphcj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe"C:\Users\Admin\AppData\Local\Temp\6fec2963b22b1abe9eac939e8e43f517d08baabdb4d4e21d1cb90c406685dfadN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe33⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe35⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe38⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe40⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe41⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe43⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe44⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe46⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe47⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe48⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe49⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe50⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe51⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe53⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe54⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe55⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe56⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe57⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe58⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe59⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe60⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe61⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe62⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe63⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe64⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe66⤵PID:1304
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe67⤵PID:908
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe68⤵
- System Location Discovery: System Language Discovery
PID:744 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe69⤵PID:1408
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe70⤵PID:1040
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe71⤵PID:268
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe72⤵PID:2008
-
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe74⤵PID:2856
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe75⤵PID:2752
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe76⤵PID:2792
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe77⤵PID:828
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe78⤵PID:1976
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe80⤵PID:2616
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe81⤵PID:1448
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe82⤵PID:2340
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe83⤵PID:2484
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe84⤵PID:840
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe85⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe86⤵PID:1512
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe87⤵PID:2444
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe88⤵PID:988
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe89⤵PID:1944
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe90⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe91⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe92⤵PID:2116
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe93⤵PID:2888
-
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe94⤵PID:2692
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe95⤵PID:2696
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe96⤵PID:3064
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe97⤵PID:1700
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe98⤵PID:2192
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe99⤵PID:1152
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe100⤵PID:692
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe101⤵PID:340
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe102⤵PID:2592
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe104⤵PID:1888
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe105⤵PID:2032
-
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe106⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe107⤵PID:2840
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe108⤵PID:2672
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe109⤵PID:2200
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe110⤵PID:1452
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe111⤵PID:1680
-
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe112⤵PID:2724
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe113⤵PID:2480
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe116⤵PID:1604
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe117⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe119⤵PID:1972
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe120⤵PID:2940
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-