Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 10:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe
-
Size
96KB
-
MD5
e11261c3703bc3ff5cdde5fda9f17ebc
-
SHA1
e4cd0051a8ed3601eb8c0bb1042704905ca818e8
-
SHA256
d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52
-
SHA512
29ac0a6604ce306ca20d143a1562c2933f42a5189a9163c20be0f281b6174d91c176659963da91bef6b3cd9512086f45ab614550c20b09c402dcd31c0ad542af
-
SSDEEP
1536:wj2Kkarx2qBRdd1wtEuNKIgY/zA79J128kZMa7AbCpGduV9jojTIvjr:wrrxJHtwNKm/zAn1ZCMakWpGd69jc0v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bndhle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihkqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkeml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojgdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfobed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfnlahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkjgiiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inpeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okimnfkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pffnfdhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokapipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfblep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiofln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgjecap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfnlofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkcqnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkegplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giifkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkebokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfmjfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqlmnldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojmegqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpjoahe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfniekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpacmghc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlciihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbkgech.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdflfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hopidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meqhkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naooqndd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkooed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecelck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aendldnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjmnecm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhiigmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdilbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egnknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlciihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlalhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llkdieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dceodhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jclqefac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplqoiai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdcdnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambohapm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekplnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpndcjqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdelik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Papogbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenige32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhdoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knidfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddfhjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdilbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmiegma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idedbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hheimpfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llnhikkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diekle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmhhcjk.exe -
Executes dropped EXE 64 IoCs
pid Process 1716 Jnmlgpeo.exe 2288 Jakhckdb.exe 2028 Jjcllq32.exe 2696 Jmbhhl32.exe 2900 Jclqefac.exe 2428 Jjfiap32.exe 2604 Jmdenl32.exe 2216 Kcnmjf32.exe 2368 Kfmjfa32.exe 960 Kmfbckfa.exe 2448 Kliboh32.exe 2928 Kfofla32.exe 2796 Kimbhl32.exe 2924 Kpgkef32.exe 1956 Kbfgab32.exe 1884 Klnljghg.exe 2420 Kbhdfa32.exe 2396 Kakdbngn.exe 2244 Kdipnjfb.exe 1076 Klqhogfd.exe 2144 Koodlbeh.exe 1348 Kamahn32.exe 1824 Khgidhlh.exe 3036 Lhjfjhje.exe 328 Lglfed32.exe 1600 Lkhbfcii.exe 2284 Ldpfoipj.exe 2388 Lmikhn32.exe 2828 Lcecpe32.exe 2716 Llnhikkb.exe 2952 Lpidii32.exe 2872 Leflapab.exe 1976 Lhehnlqf.exe 2868 Lplqoiai.exe 2248 Meiigppp.exe 2784 Mhgeckoc.exe 1680 Mkeapgng.exe 1796 Mekfmp32.exe 2896 Mkhnef32.exe 1544 Membbo32.exe 1828 Mdpbnlbe.exe 1048 Mhlonk32.exe 1992 Mkjkkf32.exe 1880 Madcgpao.exe 924 Mpgccm32.exe 272 Mhnkdjhl.exe 1496 Mklhpfho.exe 1420 Mjohlb32.exe 1088 Mafpmp32.exe 2400 Mdelik32.exe 2340 Mkodfeem.exe 2328 Nnmqbaeq.exe 2856 Nqlmnldd.exe 2752 Ndgiok32.exe 2596 Ncjijhch.exe 2280 Nfhefc32.exe 404 Nlbncmih.exe 1492 Nqnicl32.exe 2056 Noajoihl.exe 2632 Nclfpg32.exe 1500 Nfkblc32.exe 2252 Njfnlahb.exe 1936 Nhinhn32.exe 2380 Nqpfil32.exe -
Loads dropped DLL 64 IoCs
pid Process 2972 d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe 2972 d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe 1716 Jnmlgpeo.exe 1716 Jnmlgpeo.exe 2288 Jakhckdb.exe 2288 Jakhckdb.exe 2028 Jjcllq32.exe 2028 Jjcllq32.exe 2696 Jmbhhl32.exe 2696 Jmbhhl32.exe 2900 Jclqefac.exe 2900 Jclqefac.exe 2428 Jjfiap32.exe 2428 Jjfiap32.exe 2604 Jmdenl32.exe 2604 Jmdenl32.exe 2216 Kcnmjf32.exe 2216 Kcnmjf32.exe 2368 Kfmjfa32.exe 2368 Kfmjfa32.exe 960 Kmfbckfa.exe 960 Kmfbckfa.exe 2448 Kliboh32.exe 2448 Kliboh32.exe 2928 Kfofla32.exe 2928 Kfofla32.exe 2796 Kimbhl32.exe 2796 Kimbhl32.exe 2924 Kpgkef32.exe 2924 Kpgkef32.exe 1956 Kbfgab32.exe 1956 Kbfgab32.exe 1884 Klnljghg.exe 1884 Klnljghg.exe 2420 Kbhdfa32.exe 2420 Kbhdfa32.exe 2396 Kakdbngn.exe 2396 Kakdbngn.exe 2244 Kdipnjfb.exe 2244 Kdipnjfb.exe 1076 Klqhogfd.exe 1076 Klqhogfd.exe 2144 Koodlbeh.exe 2144 Koodlbeh.exe 1348 Kamahn32.exe 1348 Kamahn32.exe 1824 Khgidhlh.exe 1824 Khgidhlh.exe 3036 Lhjfjhje.exe 3036 Lhjfjhje.exe 328 Lglfed32.exe 328 Lglfed32.exe 1600 Lkhbfcii.exe 1600 Lkhbfcii.exe 2284 Ldpfoipj.exe 2284 Ldpfoipj.exe 2388 Lmikhn32.exe 2388 Lmikhn32.exe 2828 Lcecpe32.exe 2828 Lcecpe32.exe 2716 Llnhikkb.exe 2716 Llnhikkb.exe 2952 Lpidii32.exe 2952 Lpidii32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aocdec32.exe Aldhih32.exe File created C:\Windows\SysWOW64\Cddoggde.dll Faflfc32.exe File created C:\Windows\SysWOW64\Oinflf32.dll Pbkbff32.exe File opened for modification C:\Windows\SysWOW64\Bblpofpf.exe Boqdng32.exe File opened for modification C:\Windows\SysWOW64\Bppqhjnp.exe Bhiigmnn.exe File created C:\Windows\SysWOW64\Fmpmaqaq.exe Fidqab32.exe File created C:\Windows\SysWOW64\Kfppop32.exe Kgmodcqg.exe File created C:\Windows\SysWOW64\Lbhopp32.dll Fljcnl32.exe File opened for modification C:\Windows\SysWOW64\Jmdenl32.exe Jjfiap32.exe File created C:\Windows\SysWOW64\Mhnkdjhl.exe Mpgccm32.exe File opened for modification C:\Windows\SysWOW64\Pndoqf32.exe Pjhcphkf.exe File created C:\Windows\SysWOW64\Ikbidp32.exe Igfmdadd.exe File created C:\Windows\SysWOW64\Ponene32.dll Leallkbl.exe File created C:\Windows\SysWOW64\Mpiinfbk.exe Mhaami32.exe File created C:\Windows\SysWOW64\Kbglia32.dll Cogjofae.exe File created C:\Windows\SysWOW64\Lnhgdknl.dll Hckddoio.exe File opened for modification C:\Windows\SysWOW64\Mpdpcg32.exe Mlhdbhng.exe File created C:\Windows\SysWOW64\Fhpnic32.dll Npdlbj32.exe File opened for modification C:\Windows\SysWOW64\Anqhoddb.exe Ajeloe32.exe File opened for modification C:\Windows\SysWOW64\Fdmhnqjf.exe Fmbpaf32.exe File created C:\Windows\SysWOW64\Gkemla32.dll Kfofla32.exe File opened for modification C:\Windows\SysWOW64\Gaqefh32.exe Gobijm32.exe File opened for modification C:\Windows\SysWOW64\Kelfbh32.exe Jbnjfm32.exe File opened for modification C:\Windows\SysWOW64\Cppmgm32.exe Cldagoib.exe File created C:\Windows\SysWOW64\Ekneiagh.dll Dffhfc32.exe File created C:\Windows\SysWOW64\Gamafbjb.exe Gifjeeip.exe File created C:\Windows\SysWOW64\Ibiflmjc.dll Qohilfpj.exe File created C:\Windows\SysWOW64\Pplnmiij.dll Bedjmcgp.exe File created C:\Windows\SysWOW64\Jkmlhccn.exe Jioplhdj.exe File created C:\Windows\SysWOW64\Knekknjg.exe Kkfoobkc.exe File created C:\Windows\SysWOW64\Lihoaj32.exe Lelbak32.exe File created C:\Windows\SysWOW64\Mjpnka32.dll Qimifn32.exe File opened for modification C:\Windows\SysWOW64\Khgidhlh.exe Kamahn32.exe File created C:\Windows\SysWOW64\Nnmqbaeq.exe Mkodfeem.exe File created C:\Windows\SysWOW64\Oonbnfio.exe Oqkbbi32.exe File created C:\Windows\SysWOW64\Pehggk32.exe Pmaofnkc.exe File opened for modification C:\Windows\SysWOW64\Holedjom.exe Hkaicl32.exe File created C:\Windows\SysWOW64\Kefhcm32.dll Nlbncmih.exe File created C:\Windows\SysWOW64\Epfjjnkl.exe Eljnio32.exe File opened for modification C:\Windows\SysWOW64\Epfjjnkl.exe Eljnio32.exe File created C:\Windows\SysWOW64\Fjlebelq.dll Eljnio32.exe File created C:\Windows\SysWOW64\Bdoloddi.dll Jjibkl32.exe File created C:\Windows\SysWOW64\Mgiodb32.exe Mhfniekh.exe File created C:\Windows\SysWOW64\Fcjenkhm.exe Fpninl32.exe File opened for modification C:\Windows\SysWOW64\Hdpcmpgl.exe Habgqehi.exe File opened for modification C:\Windows\SysWOW64\Nfmoabnf.exe Ncobeg32.exe File created C:\Windows\SysWOW64\Cpamgobk.dll Bnnblfgm.exe File opened for modification C:\Windows\SysWOW64\Gpebhd32.exe Gmgfli32.exe File created C:\Windows\SysWOW64\Mjqofc32.dll Pnlbea32.exe File created C:\Windows\SysWOW64\Kbnecdem.dll Ndgiok32.exe File created C:\Windows\SysWOW64\Nkjgiiln.exe Nhlkmnmj.exe File opened for modification C:\Windows\SysWOW64\Ahlphpmk.exe Aendldnh.exe File opened for modification C:\Windows\SysWOW64\Hlffcdnm.exe Hhjjbe32.exe File created C:\Windows\SysWOW64\Omiboo32.dll Jmhogg32.exe File created C:\Windows\SysWOW64\Ppbhhi32.exe Paohmlaj.exe File opened for modification C:\Windows\SysWOW64\Jbnjfm32.exe Jnbnenli.exe File opened for modification C:\Windows\SysWOW64\Ccqjje32.exe Blgamkdd.exe File created C:\Windows\SysWOW64\Djjnfbei.exe Dfobed32.exe File created C:\Windows\SysWOW64\Dnkiac32.dll Epllhlbg.exe File opened for modification C:\Windows\SysWOW64\Okoqdi32.exe Oddhho32.exe File created C:\Windows\SysWOW64\Geghlg32.exe Galllipa.exe File created C:\Windows\SysWOW64\Ejmgjf32.exe Egnknj32.exe File opened for modification C:\Windows\SysWOW64\Kphdhenb.exe Kaedmi32.exe File created C:\Windows\SysWOW64\Mpacmghc.exe Maocak32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7260 7228 WerFault.exe 746 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipqgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcqgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imcelhbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knggqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdinla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhdfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjgiiln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpfmhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkooed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhicho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdcdnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einnbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpiinfbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndohbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnopdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakapfnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbeomon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floccbai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcfebii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibdkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbonnjpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noecjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojmegqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjqfebnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiacamhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galllipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbemeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpacmghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlojcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppmgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faflfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohlik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfibeoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkbnpaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhnofjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbnenli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akafff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dninfgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfmjndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegdkkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnodfbdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdgngml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfclpcik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohpph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambohapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innhkknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaedmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piojmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpfoipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghcjk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meiigppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghbqhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdiamnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gohlik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpqecon.dll" Geghlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlpemo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbncmih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmkpfqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjhmo32.dll" Bdgcniko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghppaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhmlbfcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdhlh32.dll" Ofeneqcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baampb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpjkeid.dll" Cnaqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdljaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knidfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajeloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eenige32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlhbhdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdboqo32.dll" Ahkiniip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mandkeki.dll" Apchim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pednllpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjook32.dll" Bpfnbkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpfci32.dll" Hkhodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgdpg32.dll" Elhacpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biobkamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpndcjqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbonnjpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjijhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehpij32.dll" Fbdbemml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnjnijh.dll" Abldpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalbppb.dll" Aocdec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkngckie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjamdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piojmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokeoeaj.dll" Bklbpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfllp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpidii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mekfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepenl32.dll" Aendldnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjcec32.dll" Cngebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbijkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdnkhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmqhgh32.dll" Mklhpfho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpcicapk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgmodcqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkpaja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oonbnfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bagafeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbamd32.dll" Pbhnfpoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpgachdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljpfqgg.dll" Lcecpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibndjkh.dll" Jaonlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghckjj32.dll" Jfbpfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cneiai32.dll" Kaedmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naooqndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpileedj.dll" Qaadblog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aendldnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhfhip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgplicod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmoca32.dll" Jnmlgpeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikiojik.dll" Bjillfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnlbea32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1716 2972 d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe 29 PID 2972 wrote to memory of 1716 2972 d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe 29 PID 2972 wrote to memory of 1716 2972 d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe 29 PID 2972 wrote to memory of 1716 2972 d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe 29 PID 1716 wrote to memory of 2288 1716 Jnmlgpeo.exe 30 PID 1716 wrote to memory of 2288 1716 Jnmlgpeo.exe 30 PID 1716 wrote to memory of 2288 1716 Jnmlgpeo.exe 30 PID 1716 wrote to memory of 2288 1716 Jnmlgpeo.exe 30 PID 2288 wrote to memory of 2028 2288 Jakhckdb.exe 31 PID 2288 wrote to memory of 2028 2288 Jakhckdb.exe 31 PID 2288 wrote to memory of 2028 2288 Jakhckdb.exe 31 PID 2288 wrote to memory of 2028 2288 Jakhckdb.exe 31 PID 2028 wrote to memory of 2696 2028 Jjcllq32.exe 32 PID 2028 wrote to memory of 2696 2028 Jjcllq32.exe 32 PID 2028 wrote to memory of 2696 2028 Jjcllq32.exe 32 PID 2028 wrote to memory of 2696 2028 Jjcllq32.exe 32 PID 2696 wrote to memory of 2900 2696 Jmbhhl32.exe 33 PID 2696 wrote to memory of 2900 2696 Jmbhhl32.exe 33 PID 2696 wrote to memory of 2900 2696 Jmbhhl32.exe 33 PID 2696 wrote to memory of 2900 2696 Jmbhhl32.exe 33 PID 2900 wrote to memory of 2428 2900 Jclqefac.exe 34 PID 2900 wrote to memory of 2428 2900 Jclqefac.exe 34 PID 2900 wrote to memory of 2428 2900 Jclqefac.exe 34 PID 2900 wrote to memory of 2428 2900 Jclqefac.exe 34 PID 2428 wrote to memory of 2604 2428 Jjfiap32.exe 35 PID 2428 wrote to memory of 2604 2428 Jjfiap32.exe 35 PID 2428 wrote to memory of 2604 2428 Jjfiap32.exe 35 PID 2428 wrote to memory of 2604 2428 Jjfiap32.exe 35 PID 2604 wrote to memory of 2216 2604 Jmdenl32.exe 36 PID 2604 wrote to memory of 2216 2604 Jmdenl32.exe 36 PID 2604 wrote to memory of 2216 2604 Jmdenl32.exe 36 PID 2604 wrote to memory of 2216 2604 Jmdenl32.exe 36 PID 2216 wrote to memory of 2368 2216 Kcnmjf32.exe 37 PID 2216 wrote to memory of 2368 2216 Kcnmjf32.exe 37 PID 2216 wrote to memory of 2368 2216 Kcnmjf32.exe 37 PID 2216 wrote to memory of 2368 2216 Kcnmjf32.exe 37 PID 2368 wrote to memory of 960 2368 Kfmjfa32.exe 38 PID 2368 wrote to memory of 960 2368 Kfmjfa32.exe 38 PID 2368 wrote to memory of 960 2368 Kfmjfa32.exe 38 PID 2368 wrote to memory of 960 2368 Kfmjfa32.exe 38 PID 960 wrote to memory of 2448 960 Kmfbckfa.exe 39 PID 960 wrote to memory of 2448 960 Kmfbckfa.exe 39 PID 960 wrote to memory of 2448 960 Kmfbckfa.exe 39 PID 960 wrote to memory of 2448 960 Kmfbckfa.exe 39 PID 2448 wrote to memory of 2928 2448 Kliboh32.exe 40 PID 2448 wrote to memory of 2928 2448 Kliboh32.exe 40 PID 2448 wrote to memory of 2928 2448 Kliboh32.exe 40 PID 2448 wrote to memory of 2928 2448 Kliboh32.exe 40 PID 2928 wrote to memory of 2796 2928 Kfofla32.exe 41 PID 2928 wrote to memory of 2796 2928 Kfofla32.exe 41 PID 2928 wrote to memory of 2796 2928 Kfofla32.exe 41 PID 2928 wrote to memory of 2796 2928 Kfofla32.exe 41 PID 2796 wrote to memory of 2924 2796 Kimbhl32.exe 42 PID 2796 wrote to memory of 2924 2796 Kimbhl32.exe 42 PID 2796 wrote to memory of 2924 2796 Kimbhl32.exe 42 PID 2796 wrote to memory of 2924 2796 Kimbhl32.exe 42 PID 2924 wrote to memory of 1956 2924 Kpgkef32.exe 43 PID 2924 wrote to memory of 1956 2924 Kpgkef32.exe 43 PID 2924 wrote to memory of 1956 2924 Kpgkef32.exe 43 PID 2924 wrote to memory of 1956 2924 Kpgkef32.exe 43 PID 1956 wrote to memory of 1884 1956 Kbfgab32.exe 44 PID 1956 wrote to memory of 1884 1956 Kbfgab32.exe 44 PID 1956 wrote to memory of 1884 1956 Kbfgab32.exe 44 PID 1956 wrote to memory of 1884 1956 Kbfgab32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe"C:\Users\Admin\AppData\Local\Temp\d90a015572edd192eb4f274e64b067a2f897f5e9ff63980f3a34c8bd11f91b52.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jnmlgpeo.exeC:\Windows\system32\Jnmlgpeo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jakhckdb.exeC:\Windows\system32\Jakhckdb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Jjcllq32.exeC:\Windows\system32\Jjcllq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jmbhhl32.exeC:\Windows\system32\Jmbhhl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Jclqefac.exeC:\Windows\system32\Jclqefac.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jjfiap32.exeC:\Windows\system32\Jjfiap32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Jmdenl32.exeC:\Windows\system32\Jmdenl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kcnmjf32.exeC:\Windows\system32\Kcnmjf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Kfmjfa32.exeC:\Windows\system32\Kfmjfa32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Kmfbckfa.exeC:\Windows\system32\Kmfbckfa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Kliboh32.exeC:\Windows\system32\Kliboh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Kfofla32.exeC:\Windows\system32\Kfofla32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kimbhl32.exeC:\Windows\system32\Kimbhl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Kpgkef32.exeC:\Windows\system32\Kpgkef32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Kbfgab32.exeC:\Windows\system32\Kbfgab32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Klnljghg.exeC:\Windows\system32\Klnljghg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Kbhdfa32.exeC:\Windows\system32\Kbhdfa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Kakdbngn.exeC:\Windows\system32\Kakdbngn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Kdipnjfb.exeC:\Windows\system32\Kdipnjfb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Klqhogfd.exeC:\Windows\system32\Klqhogfd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Koodlbeh.exeC:\Windows\system32\Koodlbeh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Kamahn32.exeC:\Windows\system32\Kamahn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Khgidhlh.exeC:\Windows\system32\Khgidhlh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Lhjfjhje.exeC:\Windows\system32\Lhjfjhje.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Lglfed32.exeC:\Windows\system32\Lglfed32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Lkhbfcii.exeC:\Windows\system32\Lkhbfcii.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ldpfoipj.exeC:\Windows\system32\Ldpfoipj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Lmikhn32.exeC:\Windows\system32\Lmikhn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Lcecpe32.exeC:\Windows\system32\Lcecpe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Llnhikkb.exeC:\Windows\system32\Llnhikkb.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Lpidii32.exeC:\Windows\system32\Lpidii32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Leflapab.exeC:\Windows\system32\Leflapab.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Lhehnlqf.exeC:\Windows\system32\Lhehnlqf.exe34⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Lplqoiai.exeC:\Windows\system32\Lplqoiai.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Meiigppp.exeC:\Windows\system32\Meiigppp.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Mhgeckoc.exeC:\Windows\system32\Mhgeckoc.exe37⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Mkeapgng.exeC:\Windows\system32\Mkeapgng.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Mekfmp32.exeC:\Windows\system32\Mekfmp32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Mkhnef32.exeC:\Windows\system32\Mkhnef32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Membbo32.exeC:\Windows\system32\Membbo32.exe41⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mdpbnlbe.exeC:\Windows\system32\Mdpbnlbe.exe42⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Mhlonk32.exeC:\Windows\system32\Mhlonk32.exe43⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mkjkkf32.exeC:\Windows\system32\Mkjkkf32.exe44⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Madcgpao.exeC:\Windows\system32\Madcgpao.exe45⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Mpgccm32.exeC:\Windows\system32\Mpgccm32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Mhnkdjhl.exeC:\Windows\system32\Mhnkdjhl.exe47⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Mklhpfho.exeC:\Windows\system32\Mklhpfho.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Mjohlb32.exeC:\Windows\system32\Mjohlb32.exe49⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Mafpmp32.exeC:\Windows\system32\Mafpmp32.exe50⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Mdelik32.exeC:\Windows\system32\Mdelik32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mkodfeem.exeC:\Windows\system32\Mkodfeem.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Nnmqbaeq.exeC:\Windows\system32\Nnmqbaeq.exe53⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Nqlmnldd.exeC:\Windows\system32\Nqlmnldd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ndgiok32.exeC:\Windows\system32\Ndgiok32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Ncjijhch.exeC:\Windows\system32\Ncjijhch.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Nfhefc32.exeC:\Windows\system32\Nfhefc32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Nlbncmih.exeC:\Windows\system32\Nlbncmih.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Nqnicl32.exeC:\Windows\system32\Nqnicl32.exe59⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Noajoihl.exeC:\Windows\system32\Noajoihl.exe60⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nclfpg32.exeC:\Windows\system32\Nclfpg32.exe61⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nfkblc32.exeC:\Windows\system32\Nfkblc32.exe62⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Njfnlahb.exeC:\Windows\system32\Njfnlahb.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Nhinhn32.exeC:\Windows\system32\Nhinhn32.exe64⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Nqpfil32.exeC:\Windows\system32\Nqpfil32.exe65⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ncobeg32.exeC:\Windows\system32\Ncobeg32.exe66⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Nfmoabnf.exeC:\Windows\system32\Nfmoabnf.exe67⤵PID:3024
-
C:\Windows\SysWOW64\Nhlkmnmj.exeC:\Windows\system32\Nhlkmnmj.exe68⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Nkjgiiln.exeC:\Windows\system32\Nkjgiiln.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Noecjh32.exeC:\Windows\system32\Noecjh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ncaokgmp.exeC:\Windows\system32\Ncaokgmp.exe71⤵PID:2384
-
C:\Windows\SysWOW64\Ndblbo32.exeC:\Windows\system32\Ndblbo32.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Nhnhcnkg.exeC:\Windows\system32\Nhnhcnkg.exe73⤵PID:2620
-
C:\Windows\SysWOW64\Nohpph32.exeC:\Windows\system32\Nohpph32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Oddhho32.exeC:\Windows\system32\Oddhho32.exe75⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Okoqdi32.exeC:\Windows\system32\Okoqdi32.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Oojmegqa.exeC:\Windows\system32\Oojmegqa.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Obiiacpe.exeC:\Windows\system32\Obiiacpe.exe78⤵PID:2580
-
C:\Windows\SysWOW64\Odgennoi.exeC:\Windows\system32\Odgennoi.exe79⤵PID:2536
-
C:\Windows\SysWOW64\Oibanm32.exeC:\Windows\system32\Oibanm32.exe80⤵PID:2576
-
C:\Windows\SysWOW64\Ogeajjnl.exeC:\Windows\system32\Ogeajjnl.exe81⤵PID:3004
-
C:\Windows\SysWOW64\Onojfd32.exeC:\Windows\system32\Onojfd32.exe82⤵PID:1384
-
C:\Windows\SysWOW64\Obkegbnb.exeC:\Windows\system32\Obkegbnb.exe83⤵PID:2488
-
C:\Windows\SysWOW64\Oeibcnmf.exeC:\Windows\system32\Oeibcnmf.exe84⤵PID:1364
-
C:\Windows\SysWOW64\Oclbok32.exeC:\Windows\system32\Oclbok32.exe85⤵PID:3048
-
C:\Windows\SysWOW64\Okcjphdc.exeC:\Windows\system32\Okcjphdc.exe86⤵PID:1672
-
C:\Windows\SysWOW64\Ojfjke32.exeC:\Windows\system32\Ojfjke32.exe87⤵PID:1900
-
C:\Windows\SysWOW64\Oqpbhobj.exeC:\Windows\system32\Oqpbhobj.exe88⤵PID:2208
-
C:\Windows\SysWOW64\Oeloin32.exeC:\Windows\system32\Oeloin32.exe89⤵PID:2884
-
C:\Windows\SysWOW64\Ocoodjan.exeC:\Windows\system32\Ocoodjan.exe90⤵PID:2612
-
C:\Windows\SysWOW64\Ofmkpfqa.exeC:\Windows\system32\Ofmkpfqa.exe91⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Ondcacad.exeC:\Windows\system32\Ondcacad.exe92⤵PID:2256
-
C:\Windows\SysWOW64\Oabonopg.exeC:\Windows\system32\Oabonopg.exe93⤵PID:1820
-
C:\Windows\SysWOW64\Ocakjjok.exeC:\Windows\system32\Ocakjjok.exe94⤵PID:2512
-
C:\Windows\SysWOW64\Oglgji32.exeC:\Windows\system32\Oglgji32.exe95⤵PID:2332
-
C:\Windows\SysWOW64\Oindba32.exeC:\Windows\system32\Oindba32.exe96⤵PID:556
-
C:\Windows\SysWOW64\Omipbpfl.exeC:\Windows\system32\Omipbpfl.exe97⤵PID:1396
-
C:\Windows\SysWOW64\Pphlokep.exeC:\Windows\system32\Pphlokep.exe98⤵PID:3052
-
C:\Windows\SysWOW64\Pbfhkfdc.exeC:\Windows\system32\Pbfhkfdc.exe99⤵PID:2080
-
C:\Windows\SysWOW64\Pjmqldee.exeC:\Windows\system32\Pjmqldee.exe100⤵PID:2232
-
C:\Windows\SysWOW64\Pipqgq32.exeC:\Windows\system32\Pipqgq32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Ppjidkcm.exeC:\Windows\system32\Ppjidkcm.exe102⤵PID:2656
-
C:\Windows\SysWOW64\Pbhepfbq.exeC:\Windows\system32\Pbhepfbq.exe103⤵PID:2660
-
C:\Windows\SysWOW64\Pegalaad.exeC:\Windows\system32\Pegalaad.exe104⤵PID:2680
-
C:\Windows\SysWOW64\Pibmmp32.exeC:\Windows\system32\Pibmmp32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Plqjilia.exeC:\Windows\system32\Plqjilia.exe106⤵PID:1704
-
C:\Windows\SysWOW64\Pplejj32.exeC:\Windows\system32\Pplejj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Pbkbff32.exeC:\Windows\system32\Pbkbff32.exe108⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Pffnfdhg.exeC:\Windows\system32\Pffnfdhg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Piejbpgk.exeC:\Windows\system32\Piejbpgk.exe110⤵PID:1524
-
C:\Windows\SysWOW64\Phgjnm32.exeC:\Windows\system32\Phgjnm32.exe111⤵PID:1288
-
C:\Windows\SysWOW64\Ppoboj32.exeC:\Windows\system32\Ppoboj32.exe112⤵PID:2072
-
C:\Windows\SysWOW64\Papogbef.exeC:\Windows\system32\Papogbef.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Pekkga32.exeC:\Windows\system32\Pekkga32.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Phjgdm32.exeC:\Windows\system32\Phjgdm32.exe115⤵PID:2648
-
C:\Windows\SysWOW64\Pjhcphkf.exeC:\Windows\system32\Pjhcphkf.exe116⤵PID:1480
-
C:\Windows\SysWOW64\Pjhcphkf.exeC:\Windows\system32\Pjhcphkf.exe117⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Pndoqf32.exeC:\Windows\system32\Pndoqf32.exe118⤵PID:560
-
C:\Windows\SysWOW64\Pabkmb32.exeC:\Windows\system32\Pabkmb32.exe119⤵PID:2964
-
C:\Windows\SysWOW64\Pdqhin32.exeC:\Windows\system32\Pdqhin32.exe120⤵PID:1008
-
C:\Windows\SysWOW64\Pdqhin32.exeC:\Windows\system32\Pdqhin32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-