Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 22:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe
-
Size
378KB
-
MD5
3f5148a32283d9ff2e34d669ebd690df
-
SHA1
d8a9fad93a13cc6f4f25f63fd6edad17ca60026e
-
SHA256
52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218
-
SHA512
eed92350d202b5360ff1301e98ff716494d39800ad70a14052b894aa5796354ae7065f3fd13c288d4eba6bf3210d5d619774b51c8758f6af6b1a70e6f4bbb179
-
SSDEEP
6144:TLUZzUwtBEyeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQ+:TLazUwtyyeYr75lTefkY660fIaDZkY61
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkielpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqhepeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piliii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibhicbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaogognm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmiag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlafkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iogpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpdcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jllqplnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacjjacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaejojjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apkgpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe -
Executes dropped EXE 64 IoCs
pid Process 1520 Hgflflqg.exe 1100 Hnpdcf32.exe 2356 Hejmpqop.exe 2912 Iacjjacb.exe 2588 Iaegpaao.exe 2280 Ifbphh32.exe 2596 Imodkadq.exe 2152 Iejiodbl.exe 1084 Jhjbqo32.exe 1172 Jndjmifj.exe 400 Joidhh32.exe 1384 Jdflqo32.exe 1892 Jjpdmi32.exe 1628 Jajmjcoe.exe 2244 Kdmban32.exe 724 Kofcbl32.exe 972 Keqkofno.exe 2812 Kechdf32.exe 2680 Kcginj32.exe 1744 Keeeje32.exe 1848 Lonibk32.exe 2432 Ldjbkb32.exe 3044 Lkdjglfo.exe 2440 Lncfcgeb.exe 2516 Ldmopa32.exe 2296 Lkggmldl.exe 2208 Lcblan32.exe 2396 Lkicbk32.exe 2848 Lpflkb32.exe 2916 Mphiqbon.exe 1696 Mcfemmna.exe 2612 Mfeaiime.exe 1336 Mblbnj32.exe 2936 Mjcjog32.exe 2768 Mlafkb32.exe 1064 Mdmkoepk.exe 2148 Mobomnoq.exe 1708 Mneohj32.exe 2620 Modlbmmn.exe 2260 Mqehjecl.exe 2956 Mdadjd32.exe 1976 Nkkmgncb.exe 1844 Nqhepeai.exe 1812 Ndcapd32.exe 1168 Nknimnap.exe 1640 Njpihk32.exe 320 Ndfnecgp.exe 2404 Ngdjaofc.exe 1612 Njbfnjeg.exe 648 Nnnbni32.exe 1692 Nppofado.exe 1212 Nckkgp32.exe 2716 Nfigck32.exe 2640 Nihcog32.exe 2424 Nqokpd32.exe 2900 Nbpghl32.exe 1676 Nflchkii.exe 540 Nijpdfhm.exe 336 Npdhaq32.exe 1632 Obbdml32.exe 1800 Omhhke32.exe 1704 Olkifaen.exe 2192 Oniebmda.exe 1752 Ofqmcj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1924 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe 1924 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe 1520 Hgflflqg.exe 1520 Hgflflqg.exe 1100 Hnpdcf32.exe 1100 Hnpdcf32.exe 2356 Hejmpqop.exe 2356 Hejmpqop.exe 2912 Iacjjacb.exe 2912 Iacjjacb.exe 2588 Iaegpaao.exe 2588 Iaegpaao.exe 2280 Ifbphh32.exe 2280 Ifbphh32.exe 2596 Imodkadq.exe 2596 Imodkadq.exe 2152 Iejiodbl.exe 2152 Iejiodbl.exe 1084 Jhjbqo32.exe 1084 Jhjbqo32.exe 1172 Jndjmifj.exe 1172 Jndjmifj.exe 400 Joidhh32.exe 400 Joidhh32.exe 1384 Jdflqo32.exe 1384 Jdflqo32.exe 1892 Jjpdmi32.exe 1892 Jjpdmi32.exe 1628 Jajmjcoe.exe 1628 Jajmjcoe.exe 2244 Kdmban32.exe 2244 Kdmban32.exe 724 Kofcbl32.exe 724 Kofcbl32.exe 972 Keqkofno.exe 972 Keqkofno.exe 2812 Kechdf32.exe 2812 Kechdf32.exe 2680 Kcginj32.exe 2680 Kcginj32.exe 1744 Keeeje32.exe 1744 Keeeje32.exe 1848 Lonibk32.exe 1848 Lonibk32.exe 2432 Ldjbkb32.exe 2432 Ldjbkb32.exe 3044 Lkdjglfo.exe 3044 Lkdjglfo.exe 2440 Lncfcgeb.exe 2440 Lncfcgeb.exe 2516 Ldmopa32.exe 2516 Ldmopa32.exe 2296 Lkggmldl.exe 2296 Lkggmldl.exe 2208 Lcblan32.exe 2208 Lcblan32.exe 2396 Lkicbk32.exe 2396 Lkicbk32.exe 2848 Lpflkb32.exe 2848 Lpflkb32.exe 2916 Mphiqbon.exe 2916 Mphiqbon.exe 1696 Mcfemmna.exe 1696 Mcfemmna.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qhihii32.dll Cmfmojcb.exe File created C:\Windows\SysWOW64\Mffbkj32.dll Gaojnq32.exe File created C:\Windows\SysWOW64\Mjcccnbp.dll Iaimipjl.exe File created C:\Windows\SysWOW64\Ldjbkb32.exe Lonibk32.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Pmehdh32.exe File created C:\Windows\SysWOW64\Qfomeb32.dll Gojhafnb.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kkmmlgik.exe File created C:\Windows\SysWOW64\Njpihk32.exe Nknimnap.exe File opened for modification C:\Windows\SysWOW64\Kofcbl32.exe Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Obbdml32.exe Npdhaq32.exe File opened for modification C:\Windows\SysWOW64\Aklabp32.exe Aeoijidl.exe File opened for modification C:\Windows\SysWOW64\Fdnjkh32.exe Fihfnp32.exe File created C:\Windows\SysWOW64\Gmhkin32.exe Fgocmc32.exe File opened for modification C:\Windows\SysWOW64\Jjhgbd32.exe Jcnoejch.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Imodkadq.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kcginj32.exe File created C:\Windows\SysWOW64\Dnqlmq32.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Dgnjqe32.exe File created C:\Windows\SysWOW64\Joidhh32.exe Jndjmifj.exe File created C:\Windows\SysWOW64\Hhkbcb32.dll Njpihk32.exe File created C:\Windows\SysWOW64\Pfnmmn32.exe Pdppqbkn.exe File created C:\Windows\SysWOW64\Qldhkc32.exe Popgboae.exe File created C:\Windows\SysWOW64\Egmpofck.dll Daaenlng.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fkefbcmf.exe File created C:\Windows\SysWOW64\Bdgoqijf.dll Gefmcp32.exe File opened for modification C:\Windows\SysWOW64\Lpflkb32.exe Lkicbk32.exe File created C:\Windows\SysWOW64\Pdioqoen.dll Omhhke32.exe File created C:\Windows\SysWOW64\Oiafee32.exe Oefjdgjk.exe File opened for modification C:\Windows\SysWOW64\Oaogognm.exe Ojeobm32.exe File opened for modification C:\Windows\SysWOW64\Qldhkc32.exe Popgboae.exe File created C:\Windows\SysWOW64\Kgcnahoo.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Acfenf32.dll Mlafkb32.exe File created C:\Windows\SysWOW64\Mdceqkca.dll Mcfemmna.exe File created C:\Windows\SysWOW64\Mqehjecl.exe Modlbmmn.exe File opened for modification C:\Windows\SysWOW64\Ndfnecgp.exe Njpihk32.exe File created C:\Windows\SysWOW64\Bpifad32.dll Peefcjlg.exe File created C:\Windows\SysWOW64\Ccpeld32.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Qhehaf32.dll Hifbdnbi.exe File created C:\Windows\SysWOW64\Kcginj32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Egncgo32.dll Olbogqoe.exe File created C:\Windows\SysWOW64\Epnhpglg.exe Ejaphpnp.exe File opened for modification C:\Windows\SysWOW64\Fdkmeiei.exe Famaimfe.exe File created C:\Windows\SysWOW64\Hifbdnbi.exe Hjcaha32.exe File opened for modification C:\Windows\SysWOW64\Jmipdo32.exe Jjjdhc32.exe File created C:\Windows\SysWOW64\Diijaiep.dll Jjpdmi32.exe File created C:\Windows\SysWOW64\Lkdjglfo.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Ofqmcj32.exe Oniebmda.exe File opened for modification C:\Windows\SysWOW64\Blfapfpg.exe Afliclij.exe File created C:\Windows\SysWOW64\Bolcma32.exe Bgdkkc32.exe File opened for modification C:\Windows\SysWOW64\Cogfqe32.exe Cglalbbi.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jmfcop32.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jedehaea.exe File created C:\Windows\SysWOW64\Kdmban32.exe Jajmjcoe.exe File opened for modification C:\Windows\SysWOW64\Fefqdl32.exe Fakdcnhh.exe File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe Hffibceh.exe File created C:\Windows\SysWOW64\Acblbcob.dll Efedga32.exe File created C:\Windows\SysWOW64\Pjleclph.exe Pbemboof.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Boifga32.exe File created C:\Windows\SysWOW64\Oalkih32.exe Ojbbmnhc.exe File created C:\Windows\SysWOW64\Hnnikfij.dll Kmfpmc32.exe File created C:\Windows\SysWOW64\Hgajdjlj.dll Jnmiag32.exe File created C:\Windows\SysWOW64\Mmjplobo.dll Imodkadq.exe File created C:\Windows\SysWOW64\Modlbmmn.exe Mneohj32.exe File created C:\Windows\SysWOW64\Nknimnap.exe Ndcapd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3556 3488 WerFault.exe 277 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqjkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnapnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblbnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkicbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdkpiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elkofg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkicbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mblbnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihgmjad.dll" Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblkei32.dll" Ifbphh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfahenq.dll" Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfeaiime.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammbof32.dll" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdflqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nppofado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmihd32.dll" Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfmojcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gecpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppkgk32.dll" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgljaj32.dll" Aiaoclgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imodkadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blfapfpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coecokqd.dll" Njbfnjeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kadica32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iogpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlafkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjleclph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Popgboae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkknac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejnl32.dll" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkifia32.dll" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll" Fbegbacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oalkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" Jjfkmdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldjbkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpflkb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1520 1924 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe 31 PID 1924 wrote to memory of 1520 1924 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe 31 PID 1924 wrote to memory of 1520 1924 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe 31 PID 1924 wrote to memory of 1520 1924 52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe 31 PID 1520 wrote to memory of 1100 1520 Hgflflqg.exe 32 PID 1520 wrote to memory of 1100 1520 Hgflflqg.exe 32 PID 1520 wrote to memory of 1100 1520 Hgflflqg.exe 32 PID 1520 wrote to memory of 1100 1520 Hgflflqg.exe 32 PID 1100 wrote to memory of 2356 1100 Hnpdcf32.exe 33 PID 1100 wrote to memory of 2356 1100 Hnpdcf32.exe 33 PID 1100 wrote to memory of 2356 1100 Hnpdcf32.exe 33 PID 1100 wrote to memory of 2356 1100 Hnpdcf32.exe 33 PID 2356 wrote to memory of 2912 2356 Hejmpqop.exe 34 PID 2356 wrote to memory of 2912 2356 Hejmpqop.exe 34 PID 2356 wrote to memory of 2912 2356 Hejmpqop.exe 34 PID 2356 wrote to memory of 2912 2356 Hejmpqop.exe 34 PID 2912 wrote to memory of 2588 2912 Iacjjacb.exe 35 PID 2912 wrote to memory of 2588 2912 Iacjjacb.exe 35 PID 2912 wrote to memory of 2588 2912 Iacjjacb.exe 35 PID 2912 wrote to memory of 2588 2912 Iacjjacb.exe 35 PID 2588 wrote to memory of 2280 2588 Iaegpaao.exe 36 PID 2588 wrote to memory of 2280 2588 Iaegpaao.exe 36 PID 2588 wrote to memory of 2280 2588 Iaegpaao.exe 36 PID 2588 wrote to memory of 2280 2588 Iaegpaao.exe 36 PID 2280 wrote to memory of 2596 2280 Ifbphh32.exe 37 PID 2280 wrote to memory of 2596 2280 Ifbphh32.exe 37 PID 2280 wrote to memory of 2596 2280 Ifbphh32.exe 37 PID 2280 wrote to memory of 2596 2280 Ifbphh32.exe 37 PID 2596 wrote to memory of 2152 2596 Imodkadq.exe 38 PID 2596 wrote to memory of 2152 2596 Imodkadq.exe 38 PID 2596 wrote to memory of 2152 2596 Imodkadq.exe 38 PID 2596 wrote to memory of 2152 2596 Imodkadq.exe 38 PID 2152 wrote to memory of 1084 2152 Iejiodbl.exe 39 PID 2152 wrote to memory of 1084 2152 Iejiodbl.exe 39 PID 2152 wrote to memory of 1084 2152 Iejiodbl.exe 39 PID 2152 wrote to memory of 1084 2152 Iejiodbl.exe 39 PID 1084 wrote to memory of 1172 1084 Jhjbqo32.exe 40 PID 1084 wrote to memory of 1172 1084 Jhjbqo32.exe 40 PID 1084 wrote to memory of 1172 1084 Jhjbqo32.exe 40 PID 1084 wrote to memory of 1172 1084 Jhjbqo32.exe 40 PID 1172 wrote to memory of 400 1172 Jndjmifj.exe 41 PID 1172 wrote to memory of 400 1172 Jndjmifj.exe 41 PID 1172 wrote to memory of 400 1172 Jndjmifj.exe 41 PID 1172 wrote to memory of 400 1172 Jndjmifj.exe 41 PID 400 wrote to memory of 1384 400 Joidhh32.exe 42 PID 400 wrote to memory of 1384 400 Joidhh32.exe 42 PID 400 wrote to memory of 1384 400 Joidhh32.exe 42 PID 400 wrote to memory of 1384 400 Joidhh32.exe 42 PID 1384 wrote to memory of 1892 1384 Jdflqo32.exe 43 PID 1384 wrote to memory of 1892 1384 Jdflqo32.exe 43 PID 1384 wrote to memory of 1892 1384 Jdflqo32.exe 43 PID 1384 wrote to memory of 1892 1384 Jdflqo32.exe 43 PID 1892 wrote to memory of 1628 1892 Jjpdmi32.exe 44 PID 1892 wrote to memory of 1628 1892 Jjpdmi32.exe 44 PID 1892 wrote to memory of 1628 1892 Jjpdmi32.exe 44 PID 1892 wrote to memory of 1628 1892 Jjpdmi32.exe 44 PID 1628 wrote to memory of 2244 1628 Jajmjcoe.exe 45 PID 1628 wrote to memory of 2244 1628 Jajmjcoe.exe 45 PID 1628 wrote to memory of 2244 1628 Jajmjcoe.exe 45 PID 1628 wrote to memory of 2244 1628 Jajmjcoe.exe 45 PID 2244 wrote to memory of 724 2244 Kdmban32.exe 46 PID 2244 wrote to memory of 724 2244 Kdmban32.exe 46 PID 2244 wrote to memory of 724 2244 Kdmban32.exe 46 PID 2244 wrote to memory of 724 2244 Kdmban32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe"C:\Users\Admin\AppData\Local\Temp\52180e8d77a4e7aa020ee3a1baf46178ccaccb1bfe9629ebf2b093bc7ae9c218.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:724 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe35⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe48⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe49⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe51⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe53⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe54⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe57⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe58⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe63⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe66⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe67⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe69⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe71⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe72⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe73⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe75⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe77⤵PID:608
-
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe79⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe82⤵PID:2256
-
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe83⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe84⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe85⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe86⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe88⤵PID:1396
-
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe89⤵PID:2080
-
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe91⤵PID:2964
-
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe92⤵PID:2100
-
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe93⤵PID:276
-
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe95⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe97⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe98⤵PID:2484
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe100⤵PID:2040
-
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe101⤵PID:3056
-
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe102⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe105⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe106⤵PID:2976
-
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe107⤵PID:1756
-
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe108⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe109⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe110⤵PID:2204
-
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe112⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe113⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe114⤵PID:2856
-
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe115⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe116⤵PID:2408
-
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe117⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Bbhccm32.exeC:\Windows\system32\Bbhccm32.exe118⤵PID:2984
-
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe120⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-