Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 08:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9983bc3b57abf4e0a5e412ff2e2449b0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9983bc3b57abf4e0a5e412ff2e2449b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9983bc3b57abf4e0a5e412ff2e2449b0N.exe
-
Size
95KB
-
MD5
9983bc3b57abf4e0a5e412ff2e2449b0
-
SHA1
02c622a503482f213282e020d12ef33ef3babf82
-
SHA256
809cca6da630b8f2e63fa60949bb7300ad58c11c9444e3e2eb12ff72515dca64
-
SHA512
e0ae4a8fc383284df103ee09d00472bc17433c76195f72be837799e246b09b810e4fc7bd9f9d59a456af43a9982102a8f5122252626f702cd7ecf4fff4fb54a0
-
SSDEEP
1536:f3Hz+As+0TCZODal8PG906lqRtWijFOJHeS3MuQrtqbUKmz1Mdri1qRS2LgdOM68:f3Fp0OZODalHRcR2J+S3M9yNjLgdDrLD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkoocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inbobn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihkoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqibjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjofljho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahkhgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hidjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhebij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhcgjkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpliec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahnid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhcgjkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmahbhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghjjoeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfadeaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdedoegh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgoaflj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkglenej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqbbig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jookedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blkoocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clphjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejcaanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgpfjbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oceaql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbadcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhgonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncplfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peoanckj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkiikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmklbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibmglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkokjjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfdpmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meaiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgljced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadeaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchjqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifcdbhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgbfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aifpcfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibqhibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbmbgngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbnpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjqbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 1968 Knldaf32.exe 2056 Kfcmcckn.exe 1544 Kiaiooja.exe 2832 Kgdijk32.exe 3056 Kkpekjie.exe 672 Kamncagl.exe 2608 Kkbbqjgb.exe 1964 Kejfio32.exe 2132 Kgibeklf.exe 2416 Kjgoaflj.exe 2928 Kmeknakn.exe 2936 Kgkokjjd.exe 3000 Ljjkgfig.exe 2644 Lmhhcaik.exe 1748 Lpfdpmho.exe 2100 Lfpllg32.exe 752 Liohhbno.exe 2364 Lpiqel32.exe 2380 Lbgmah32.exe 572 Lfbibfmi.exe 2112 Lmmaoq32.exe 1380 Ldgikklb.exe 1136 Lbijgg32.exe 988 Lehfcc32.exe 1936 Llbnpm32.exe 2156 Lpmjplag.exe 2880 Lifoia32.exe 1284 Lobgah32.exe 2392 Mihkoa32.exe 2740 Mlfgkleh.exe 2572 Mbqpgf32.exe 1800 Mhmhpm32.exe 2784 Mlidplcf.exe 2420 Meaiia32.exe 3028 Mddidnqa.exe 2996 Mmlmmdga.exe 2760 Mpkjjofe.exe 2268 Mgebfi32.exe 2012 Micnbe32.exe 1552 Mmojcceo.exe 3068 Mdibpn32.exe 2108 Mggoli32.exe 2200 Mmaghc32.exe 1460 Nldgdpjf.exe 1980 Nppceo32.exe 1468 Ngikaijm.exe 1760 Nihgndip.exe 1080 Npbpjn32.exe 2276 Noepfkgh.exe 1924 Ncplfj32.exe 2712 Neohbe32.exe 2564 Nliqoofa.exe 2628 Nimaic32.exe 2744 Nhpadpke.exe 2988 Nlkmeo32.exe 2956 Nknmplji.exe 2136 Noiiaj32.exe 3004 Nceeaikk.exe 2324 Necandjo.exe 2376 Ndfbia32.exe 1516 Nhbnjpic.exe 2396 Nkpjfkhf.exe 1656 Nolffjap.exe 1236 Nnofbg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2508 9983bc3b57abf4e0a5e412ff2e2449b0N.exe 2508 9983bc3b57abf4e0a5e412ff2e2449b0N.exe 1968 Knldaf32.exe 1968 Knldaf32.exe 2056 Kfcmcckn.exe 2056 Kfcmcckn.exe 1544 Kiaiooja.exe 1544 Kiaiooja.exe 2832 Kgdijk32.exe 2832 Kgdijk32.exe 3056 Kkpekjie.exe 3056 Kkpekjie.exe 672 Kamncagl.exe 672 Kamncagl.exe 2608 Kkbbqjgb.exe 2608 Kkbbqjgb.exe 1964 Kejfio32.exe 1964 Kejfio32.exe 2132 Kgibeklf.exe 2132 Kgibeklf.exe 2416 Kjgoaflj.exe 2416 Kjgoaflj.exe 2928 Kmeknakn.exe 2928 Kmeknakn.exe 2936 Kgkokjjd.exe 2936 Kgkokjjd.exe 3000 Ljjkgfig.exe 3000 Ljjkgfig.exe 2644 Lmhhcaik.exe 2644 Lmhhcaik.exe 1748 Lpfdpmho.exe 1748 Lpfdpmho.exe 2100 Lfpllg32.exe 2100 Lfpllg32.exe 752 Liohhbno.exe 752 Liohhbno.exe 2364 Lpiqel32.exe 2364 Lpiqel32.exe 2380 Lbgmah32.exe 2380 Lbgmah32.exe 572 Lfbibfmi.exe 572 Lfbibfmi.exe 2112 Lmmaoq32.exe 2112 Lmmaoq32.exe 1380 Ldgikklb.exe 1380 Ldgikklb.exe 1136 Lbijgg32.exe 1136 Lbijgg32.exe 988 Lehfcc32.exe 988 Lehfcc32.exe 1936 Llbnpm32.exe 1936 Llbnpm32.exe 2156 Lpmjplag.exe 2156 Lpmjplag.exe 2880 Lifoia32.exe 2880 Lifoia32.exe 1284 Lobgah32.exe 1284 Lobgah32.exe 2392 Mihkoa32.exe 2392 Mihkoa32.exe 2740 Mlfgkleh.exe 2740 Mlfgkleh.exe 2572 Mbqpgf32.exe 2572 Mbqpgf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iabjgoga.dll Aflmbj32.exe File created C:\Windows\SysWOW64\Qoeidfog.dll Bdpjjaiq.exe File created C:\Windows\SysWOW64\Gchfgkcp.dll Chiedc32.exe File opened for modification C:\Windows\SysWOW64\Eklgjbca.exe Eligoe32.exe File created C:\Windows\SysWOW64\Lpmjplag.exe Llbnpm32.exe File created C:\Windows\SysWOW64\Najbbepc.exe Nnofbg32.exe File created C:\Windows\SysWOW64\Kcclni32.dll Ocbekmpi.exe File created C:\Windows\SysWOW64\Panoee32.dll Gnfoao32.exe File created C:\Windows\SysWOW64\Jopfgaod.dll Lpiqel32.exe File opened for modification C:\Windows\SysWOW64\Neohbe32.exe Ncplfj32.exe File opened for modification C:\Windows\SysWOW64\Dnoqbi32.exe Dfhial32.exe File created C:\Windows\SysWOW64\Befhpq32.dll Campbj32.exe File created C:\Windows\SysWOW64\Ikcbfb32.exe Ighfecdb.exe File created C:\Windows\SysWOW64\Pjlifjjb.exe Pkiikm32.exe File created C:\Windows\SysWOW64\Apgnpo32.exe Ahpfoa32.exe File created C:\Windows\SysWOW64\Condfo32.exe Cpldjajo.exe File created C:\Windows\SysWOW64\Gekncjfe.exe Gbmbgngb.exe File created C:\Windows\SysWOW64\Lfbibfmi.exe Lbgmah32.exe File created C:\Windows\SysWOW64\Mgigmefc.dll Ldgikklb.exe File opened for modification C:\Windows\SysWOW64\Pmbpda32.exe Pifcdbhi.exe File opened for modification C:\Windows\SysWOW64\Ekjjebed.exe Dlgjie32.exe File created C:\Windows\SysWOW64\Fjkgampo.exe Ffokan32.exe File opened for modification C:\Windows\SysWOW64\Mlfgkleh.exe Mihkoa32.exe File created C:\Windows\SysWOW64\Ddjjlj32.dll Mmlmmdga.exe File created C:\Windows\SysWOW64\Bpchiebc.dll Afhcgjkq.exe File created C:\Windows\SysWOW64\Cadfbi32.exe Coejfn32.exe File created C:\Windows\SysWOW64\Ffahgn32.exe Fqdong32.exe File opened for modification C:\Windows\SysWOW64\Hoflpbmo.exe Hpckee32.exe File created C:\Windows\SysWOW64\Dpkmhq32.dll Lpfdpmho.exe File opened for modification C:\Windows\SysWOW64\Algida32.exe Amdhidqk.exe File created C:\Windows\SysWOW64\Bgablmfa.exe Bpgjob32.exe File opened for modification C:\Windows\SysWOW64\Mhmhpm32.exe Mbqpgf32.exe File created C:\Windows\SysWOW64\Qmoone32.exe Qnlobhne.exe File opened for modification C:\Windows\SysWOW64\Igmppcpm.exe Idncdgai.exe File created C:\Windows\SysWOW64\Qbamehlq.dll Apgnpo32.exe File created C:\Windows\SysWOW64\Ckgapo32.exe Chiedc32.exe File opened for modification C:\Windows\SysWOW64\Hdlkpd32.exe Hlebog32.exe File created C:\Windows\SysWOW64\Jlimimpg.dll Qedjib32.exe File opened for modification C:\Windows\SysWOW64\Qgbfen32.exe Qcgkeonp.exe File opened for modification C:\Windows\SysWOW64\Ckgapo32.exe Chiedc32.exe File opened for modification C:\Windows\SysWOW64\Hlliof32.exe Hhqmogam.exe File opened for modification C:\Windows\SysWOW64\Lpmjplag.exe Llbnpm32.exe File opened for modification C:\Windows\SysWOW64\Nnofbg32.exe Nolffjap.exe File opened for modification C:\Windows\SysWOW64\Pjlifjjb.exe Pkiikm32.exe File created C:\Windows\SysWOW64\Cmfdmc32.dll Pneiaidn.exe File opened for modification C:\Windows\SysWOW64\Coejfn32.exe Ckjnfobi.exe File created C:\Windows\SysWOW64\Hcakjgef.dll Emdjbi32.exe File created C:\Windows\SysWOW64\Madiaabn.dll Ffokan32.exe File created C:\Windows\SysWOW64\Neahmj32.dll Iegjnkod.exe File created C:\Windows\SysWOW64\Keemfmgm.dll Igmppcpm.exe File created C:\Windows\SysWOW64\Igeljknl.dll Kgkokjjd.exe File created C:\Windows\SysWOW64\Mhmhpm32.exe Mbqpgf32.exe File opened for modification C:\Windows\SysWOW64\Djhnmj32.exe Dfmbmkgm.exe File opened for modification C:\Windows\SysWOW64\Cpldjajo.exe Clphjc32.exe File created C:\Windows\SysWOW64\Gqcbihdb.dll Gncblo32.exe File opened for modification C:\Windows\SysWOW64\Nhbnjpic.exe Ndfbia32.exe File created C:\Windows\SysWOW64\Pidgnc32.exe Pjafbfca.exe File created C:\Windows\SysWOW64\Lhongdah.dll Baoahf32.exe File created C:\Windows\SysWOW64\Ioebelhe.dll Dclikp32.exe File created C:\Windows\SysWOW64\Hdlkpd32.exe Hlebog32.exe File created C:\Windows\SysWOW64\Mmojcceo.exe Micnbe32.exe File created C:\Windows\SysWOW64\Nlpnhnoo.dll Ajelmiag.exe File created C:\Windows\SysWOW64\Dajjck32.dll Cekihh32.exe File created C:\Windows\SysWOW64\Ffokan32.exe Fpecddpi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4320 4272 WerFault.exe 392 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqpgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jficbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdhidqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdifda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qedjib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggkklnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgbfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaakob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpihog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejfio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgibeklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlmmdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peandcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnpih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpekjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoanckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihefjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfmkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamncagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjjofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcofqphi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncdgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infhmmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkkdqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9983bc3b57abf4e0a5e412ff2e2449b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlkakqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edieng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjafbfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgkeonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjacai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgebfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpjfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifoia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgclpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighfecdb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlkmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfpllg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpknep32.dll" Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoclg32.dll" Pgnmjokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjfni32.dll" Fipdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbkhjjg.dll" Cnfnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmil32.dll" Dgehfodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gldaoaqg.dll" Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giihlbcj.dll" Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljjkgfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikmdack.dll" Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceidfi32.dll" Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifem32.dll" Amalcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebhlmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgmlkgh.dll" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkaonifh.dll" Fibqhibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigcomkk.dll" Mhmhpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmphgbf.dll" Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeemifp.dll" Anlkakqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eojpqpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afeakp32.dll" Fpjlpclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 9983bc3b57abf4e0a5e412ff2e2449b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpkjjofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkeem32.dll" Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeekfj32.dll" Mlfgkleh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhniing.dll" Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkdpp32.dll" Fndfmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngikaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpliec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmkpchmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fibqhibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hepdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miegjbih.dll" Lehfcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfadeaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjbbmmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onelbfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkoikcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gepgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nceeaikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohhfn32.dll" Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoehh32.dll" Ffmnloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhebij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkokjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcakjgef.dll" Emdjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhddcifo.dll" Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcnpf32.dll" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjenb32.dll" Kjgoaflj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 1968 2508 9983bc3b57abf4e0a5e412ff2e2449b0N.exe 29 PID 2508 wrote to memory of 1968 2508 9983bc3b57abf4e0a5e412ff2e2449b0N.exe 29 PID 2508 wrote to memory of 1968 2508 9983bc3b57abf4e0a5e412ff2e2449b0N.exe 29 PID 2508 wrote to memory of 1968 2508 9983bc3b57abf4e0a5e412ff2e2449b0N.exe 29 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 1544 wrote to memory of 2832 1544 Kiaiooja.exe 32 PID 1544 wrote to memory of 2832 1544 Kiaiooja.exe 32 PID 1544 wrote to memory of 2832 1544 Kiaiooja.exe 32 PID 1544 wrote to memory of 2832 1544 Kiaiooja.exe 32 PID 2832 wrote to memory of 3056 2832 Kgdijk32.exe 33 PID 2832 wrote to memory of 3056 2832 Kgdijk32.exe 33 PID 2832 wrote to memory of 3056 2832 Kgdijk32.exe 33 PID 2832 wrote to memory of 3056 2832 Kgdijk32.exe 33 PID 3056 wrote to memory of 672 3056 Kkpekjie.exe 34 PID 3056 wrote to memory of 672 3056 Kkpekjie.exe 34 PID 3056 wrote to memory of 672 3056 Kkpekjie.exe 34 PID 3056 wrote to memory of 672 3056 Kkpekjie.exe 34 PID 672 wrote to memory of 2608 672 Kamncagl.exe 35 PID 672 wrote to memory of 2608 672 Kamncagl.exe 35 PID 672 wrote to memory of 2608 672 Kamncagl.exe 35 PID 672 wrote to memory of 2608 672 Kamncagl.exe 35 PID 2608 wrote to memory of 1964 2608 Kkbbqjgb.exe 36 PID 2608 wrote to memory of 1964 2608 Kkbbqjgb.exe 36 PID 2608 wrote to memory of 1964 2608 Kkbbqjgb.exe 36 PID 2608 wrote to memory of 1964 2608 Kkbbqjgb.exe 36 PID 1964 wrote to memory of 2132 1964 Kejfio32.exe 37 PID 1964 wrote to memory of 2132 1964 Kejfio32.exe 37 PID 1964 wrote to memory of 2132 1964 Kejfio32.exe 37 PID 1964 wrote to memory of 2132 1964 Kejfio32.exe 37 PID 2132 wrote to memory of 2416 2132 Kgibeklf.exe 38 PID 2132 wrote to memory of 2416 2132 Kgibeklf.exe 38 PID 2132 wrote to memory of 2416 2132 Kgibeklf.exe 38 PID 2132 wrote to memory of 2416 2132 Kgibeklf.exe 38 PID 2416 wrote to memory of 2928 2416 Kjgoaflj.exe 39 PID 2416 wrote to memory of 2928 2416 Kjgoaflj.exe 39 PID 2416 wrote to memory of 2928 2416 Kjgoaflj.exe 39 PID 2416 wrote to memory of 2928 2416 Kjgoaflj.exe 39 PID 2928 wrote to memory of 2936 2928 Kmeknakn.exe 40 PID 2928 wrote to memory of 2936 2928 Kmeknakn.exe 40 PID 2928 wrote to memory of 2936 2928 Kmeknakn.exe 40 PID 2928 wrote to memory of 2936 2928 Kmeknakn.exe 40 PID 2936 wrote to memory of 3000 2936 Kgkokjjd.exe 41 PID 2936 wrote to memory of 3000 2936 Kgkokjjd.exe 41 PID 2936 wrote to memory of 3000 2936 Kgkokjjd.exe 41 PID 2936 wrote to memory of 3000 2936 Kgkokjjd.exe 41 PID 3000 wrote to memory of 2644 3000 Ljjkgfig.exe 42 PID 3000 wrote to memory of 2644 3000 Ljjkgfig.exe 42 PID 3000 wrote to memory of 2644 3000 Ljjkgfig.exe 42 PID 3000 wrote to memory of 2644 3000 Ljjkgfig.exe 42 PID 2644 wrote to memory of 1748 2644 Lmhhcaik.exe 43 PID 2644 wrote to memory of 1748 2644 Lmhhcaik.exe 43 PID 2644 wrote to memory of 1748 2644 Lmhhcaik.exe 43 PID 2644 wrote to memory of 1748 2644 Lmhhcaik.exe 43 PID 1748 wrote to memory of 2100 1748 Lpfdpmho.exe 44 PID 1748 wrote to memory of 2100 1748 Lpfdpmho.exe 44 PID 1748 wrote to memory of 2100 1748 Lpfdpmho.exe 44 PID 1748 wrote to memory of 2100 1748 Lpfdpmho.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9983bc3b57abf4e0a5e412ff2e2449b0N.exe"C:\Users\Admin\AppData\Local\Temp\9983bc3b57abf4e0a5e412ff2e2449b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Kgdijk32.exeC:\Windows\system32\Kgdijk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Lehfcc32.exeC:\Windows\system32\Lehfcc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe34⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe36⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe44⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe48⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe49⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe50⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe52⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe55⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe57⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe58⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe62⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe66⤵PID:2764
-
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe67⤵PID:1604
-
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe68⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe69⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe70⤵PID:2588
-
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe71⤵PID:2536
-
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe72⤵PID:304
-
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe73⤵PID:2444
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe74⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe75⤵PID:2232
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe76⤵PID:1504
-
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe77⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe78⤵PID:2408
-
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe82⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe83⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe84⤵PID:3060
-
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe85⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe87⤵PID:1640
-
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe90⤵PID:1728
-
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe92⤵
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe94⤵PID:880
-
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe95⤵PID:1008
-
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe96⤵PID:2724
-
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe97⤵PID:2868
-
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe99⤵PID:1148
-
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe100⤵PID:2808
-
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe101⤵PID:3024
-
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe102⤵PID:2816
-
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe103⤵PID:612
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe105⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe108⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe110⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe111⤵PID:1120
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe112⤵PID:2820
-
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe114⤵PID:2184
-
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe116⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe121⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-