Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 06:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe
-
Size
89KB
-
MD5
8dc77b47802a35fcb57f9b05b8997970
-
SHA1
fbd137c30cf0f1be3b48dea0f96a5d676cc9dd34
-
SHA256
d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89
-
SHA512
4d84bf4e03c352d5274992eb92bebfdc537564295b71d47b6354d89bc6af7a46e1cfbfb42465e9ff08b554412c0506e02622b28dd2f747acc5014bd83bb3781d
-
SSDEEP
1536:j4BZxdCYVaOhCxrXBg1z4ZKEiybMyT9ItdPhDz6m/DbX8FJ6yl8cvTlExkg8F:j4BZzCshGXBe4ZKEiyoPtdJb/DbI9ict
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijklmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noiiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhcgjkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeikohgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afoqbpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djiegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenedlec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmglfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpdoffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcccglnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcmcckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbjmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbmbgngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hljljflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcakdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cghpgbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpooiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edafjiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jciaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmhej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgqbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kebgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lakqoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmbmkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpledf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppgfkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nliqoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpadpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jchjqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdbkbpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqlikc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmppcpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihcidgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpcoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcehpbdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiljjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdonndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojpqpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoqbpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofhcmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiacg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdonpjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knldaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhiodnob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbekmpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpcoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphokhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgikklb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhcgjkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeommfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okjdfq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2328 Jeidob32.exe 2696 Jmplqp32.exe 2808 Jekaeb32.exe 2836 Jgjman32.exe 2752 Jennjblp.exe 2632 Jiiikq32.exe 2052 Jbandfkj.exe 2144 Jccjln32.exe 1496 Knhoig32.exe 3048 Kebgea32.exe 1088 Kfccmini.exe 2920 Kmnljc32.exe 2100 Kgcpgl32.exe 1208 Kidlodkj.exe 2976 Kcjqlm32.exe 2164 Kfhmhi32.exe 2768 Kjdiigbm.exe 1100 Kclmbm32.exe 264 Kfkjnh32.exe 1260 Kmdbkbpn.exe 2032 Kfmfchfo.exe 1980 Lepfoe32.exe 600 Lohkhjcj.exe 852 Lafgdfbm.exe 2884 Lhqpqp32.exe 1568 Lkolmk32.exe 2824 Lbfdnijp.exe 1504 Ledpjdid.exe 2636 Llnhgn32.exe 2784 Lmpdoffo.exe 2428 Lakqoe32.exe 2352 Lkcehkeh.exe 1316 Looahi32.exe 2684 Lgjfmlkm.exe 2648 Mapjjdjb.exe 2932 Mcafbm32.exe 1824 Mlikkbga.exe 1852 Mdqclpgd.exe 2420 Mcccglnn.exe 2152 Mgoohk32.exe 2244 Mpgdaqmh.exe 680 Mcfpmlll.exe 280 Miphjf32.exe 1200 Mlndfa32.exe 1224 Mchmblji.exe 1596 Makmnh32.exe 1232 Mibeofaf.exe 1848 Mlqakaqi.exe 2512 Moomgmpm.exe 2816 Mamjchoa.exe 2084 Mhgbpb32.exe 2276 Nlcnaaog.exe 2760 Nkfnln32.exe 1064 Nndjhi32.exe 1812 Napfihmn.exe 1112 Nhjofbdk.exe 2928 Nkhkbmco.exe 2264 Nnfgnibb.exe 2372 Npecjdaf.exe 1784 Ngolgn32.exe 936 Njmhcj32.exe 2284 Ndclpb32.exe 2200 Ngahmngp.exe 2672 Njpdiifd.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe 2532 d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe 2328 Jeidob32.exe 2328 Jeidob32.exe 2696 Jmplqp32.exe 2696 Jmplqp32.exe 2808 Jekaeb32.exe 2808 Jekaeb32.exe 2836 Jgjman32.exe 2836 Jgjman32.exe 2752 Jennjblp.exe 2752 Jennjblp.exe 2632 Jiiikq32.exe 2632 Jiiikq32.exe 2052 Jbandfkj.exe 2052 Jbandfkj.exe 2144 Jccjln32.exe 2144 Jccjln32.exe 1496 Knhoig32.exe 1496 Knhoig32.exe 3048 Kebgea32.exe 3048 Kebgea32.exe 1088 Kfccmini.exe 1088 Kfccmini.exe 2920 Kmnljc32.exe 2920 Kmnljc32.exe 2100 Kgcpgl32.exe 2100 Kgcpgl32.exe 1208 Kidlodkj.exe 1208 Kidlodkj.exe 2976 Kcjqlm32.exe 2976 Kcjqlm32.exe 2164 Kfhmhi32.exe 2164 Kfhmhi32.exe 2768 Kjdiigbm.exe 2768 Kjdiigbm.exe 1100 Kclmbm32.exe 1100 Kclmbm32.exe 264 Kfkjnh32.exe 264 Kfkjnh32.exe 1260 Kmdbkbpn.exe 1260 Kmdbkbpn.exe 2032 Kfmfchfo.exe 2032 Kfmfchfo.exe 1980 Lepfoe32.exe 1980 Lepfoe32.exe 600 Lohkhjcj.exe 600 Lohkhjcj.exe 852 Lafgdfbm.exe 852 Lafgdfbm.exe 2884 Lhqpqp32.exe 2884 Lhqpqp32.exe 1568 Lkolmk32.exe 1568 Lkolmk32.exe 2824 Lbfdnijp.exe 2824 Lbfdnijp.exe 1504 Ledpjdid.exe 1504 Ledpjdid.exe 2636 Llnhgn32.exe 2636 Llnhgn32.exe 2784 Lmpdoffo.exe 2784 Lmpdoffo.exe 2428 Lakqoe32.exe 2428 Lakqoe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ohikeegf.exe Ofkoijhc.exe File created C:\Windows\SysWOW64\Oohmmojn.exe Okmqlp32.exe File created C:\Windows\SysWOW64\Megnqo32.dll Pildih32.exe File created C:\Windows\SysWOW64\Ogigpllh.exe Odkkdqmd.exe File opened for modification C:\Windows\SysWOW64\Ahpfoa32.exe Aeajcf32.exe File created C:\Windows\SysWOW64\Dlaghmbg.dll Bdhjfc32.exe File created C:\Windows\SysWOW64\Bgichoqj.exe Boakgapg.exe File created C:\Windows\SysWOW64\Kmkpgebk.dll Meolcb32.exe File created C:\Windows\SysWOW64\Nnofbg32.exe Nolffjap.exe File created C:\Windows\SysWOW64\Hmpemkkf.exe Hidjml32.exe File opened for modification C:\Windows\SysWOW64\Gjgmhaim.exe Gbpegdik.exe File opened for modification C:\Windows\SysWOW64\Behpcefk.exe Bmahbhei.exe File created C:\Windows\SysWOW64\Fpnekc32.exe Fhgnie32.exe File created C:\Windows\SysWOW64\Ikfokb32.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Pdkeka32.dll Mpgdaqmh.exe File created C:\Windows\SysWOW64\Jppngale.dll Epmcqf32.exe File created C:\Windows\SysWOW64\Qjofljho.exe Pgpjpnhk.exe File created C:\Windows\SysWOW64\Ibcoimjn.dll Glgcec32.exe File created C:\Windows\SysWOW64\Obdlcjkd.exe Onipbl32.exe File created C:\Windows\SysWOW64\Monkbfga.dll Bplofekp.exe File created C:\Windows\SysWOW64\Dpdoea32.dll Baannfim.exe File created C:\Windows\SysWOW64\Ehnknfdn.exe Edbonh32.exe File opened for modification C:\Windows\SysWOW64\Fmnccn32.exe Fnkchahn.exe File opened for modification C:\Windows\SysWOW64\Gfnnmboa.exe Gbbbld32.exe File opened for modification C:\Windows\SysWOW64\Jimodo32.exe Jfnchd32.exe File created C:\Windows\SysWOW64\Ijklmn32.exe Ikhlaaif.exe File created C:\Windows\SysWOW64\Ddiafqpq.dll Pjfghl32.exe File created C:\Windows\SysWOW64\Belcck32.exe Bgichoqj.exe File opened for modification C:\Windows\SysWOW64\Dlokegib.exe Ddgcdjip.exe File opened for modification C:\Windows\SysWOW64\Ofcnmh32.exe Oceaql32.exe File opened for modification C:\Windows\SysWOW64\Chiedc32.exe Cekihh32.exe File created C:\Windows\SysWOW64\Gffmqq32.exe Ghcmedmo.exe File created C:\Windows\SysWOW64\Mamjchoa.exe Moomgmpm.exe File created C:\Windows\SysWOW64\Libmghda.dll Aelgdhei.exe File opened for modification C:\Windows\SysWOW64\Gokpgd32.exe Gphokhco.exe File created C:\Windows\SysWOW64\Cmkkhfmn.exe Cioohh32.exe File created C:\Windows\SysWOW64\Ebccal32.exe Ecabfpff.exe File created C:\Windows\SysWOW64\Kkmnmd32.dll Hepdml32.exe File created C:\Windows\SysWOW64\Kgcpgl32.exe Kmnljc32.exe File opened for modification C:\Windows\SysWOW64\Qmlief32.exe Qeeadi32.exe File created C:\Windows\SysWOW64\Andlmnki.exe Alfpab32.exe File opened for modification C:\Windows\SysWOW64\Pgkqeo32.exe Pemdic32.exe File created C:\Windows\SysWOW64\Igjlnf32.dll Pbaebh32.exe File opened for modification C:\Windows\SysWOW64\Boadlk32.exe Bfjmkn32.exe File created C:\Windows\SysWOW64\Fcddlail.dll Ilihij32.exe File created C:\Windows\SysWOW64\Eagenl32.dll Kebgea32.exe File opened for modification C:\Windows\SysWOW64\Okhgaqfj.exe Ohikeegf.exe File created C:\Windows\SysWOW64\Fdhlphff.exe Feeldk32.exe File created C:\Windows\SysWOW64\Nqipclni.dll Gjgmhaim.exe File opened for modification C:\Windows\SysWOW64\Nnofbg32.exe Nolffjap.exe File created C:\Windows\SysWOW64\Jcbkhjjg.dll Cnfnlk32.exe File created C:\Windows\SysWOW64\Jmkeqo32.dll Dafchi32.exe File opened for modification C:\Windows\SysWOW64\Dqqqokla.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Mbjjjlll.dll Kecpipck.exe File created C:\Windows\SysWOW64\Ipckannc.dll Hlliof32.exe File opened for modification C:\Windows\SysWOW64\Dhhhphmc.exe Dqqqokla.exe File created C:\Windows\SysWOW64\Epmcqf32.exe Emogdk32.exe File created C:\Windows\SysWOW64\Dcofqphi.exe Dppiddie.exe File created C:\Windows\SysWOW64\Nehipedn.dll Fbjeao32.exe File created C:\Windows\SysWOW64\Onipbl32.exe Okjdfq32.exe File created C:\Windows\SysWOW64\Afoqbpid.exe Adadedjq.exe File created C:\Windows\SysWOW64\Gjgmhaim.exe Gbpegdik.exe File created C:\Windows\SysWOW64\Poabochn.dll Gbdobc32.exe File created C:\Windows\SysWOW64\Hgknffcp.exe Hhhmki32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7712 7608 WerFault.exe 766 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miphjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekihh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkoijhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnbhcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjiiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgbmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpjpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbfmqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giljinne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efglmpbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmaoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkqeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefpmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebccal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiljjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpledf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijadk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjdmggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmaoed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcoqbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiehilaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoanckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcdjmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfffmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhmhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmiba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegdinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necandjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffghlcei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppgfkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpjjaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqoofhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapghlbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgnibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnjlfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecpipck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgkeonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqqqokla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmahbhei.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egedebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgichoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bljeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgjdhmg.dll" Gbpegdik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimmaijo.dll" Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onacgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eclejclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbmnfajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnkqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpanpn32.dll" Nchiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohikeegf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcdkagga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jodkkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaiefep.dll" Lkcehkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqnfqcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiapobg.dll" Hdakej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbamehlq.dll" Anjnllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqamg32.dll" Egedebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbcppkf.dll" Mlikkbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmmlfmn.dll" Miphjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlokegib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnonb32.dll" Gfpkbbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjlgf32.dll" Nppceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naeigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcafcpf.dll" Eqpfchka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kebgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndliq32.dll" Ngahmngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kicednho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhebij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdqclpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nchiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oindpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llhjoj32.dll" Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcclpol.dll" Ippkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipedihgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjchig32.dll" Bhdpjaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklkkoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcafcpf.dll" Enajgllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhamfgja.dll" Qlaffbqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdjckfda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckdlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmnefaf.dll" Geehcoaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pafacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpqoofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgccll32.dll" Hpqoofhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbmeiob.dll" Ofibcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohajic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkmegaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiheok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqlikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qegnii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebjdjal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2328 2532 d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe 29 PID 2532 wrote to memory of 2328 2532 d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe 29 PID 2532 wrote to memory of 2328 2532 d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe 29 PID 2532 wrote to memory of 2328 2532 d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe 29 PID 2328 wrote to memory of 2696 2328 Jeidob32.exe 30 PID 2328 wrote to memory of 2696 2328 Jeidob32.exe 30 PID 2328 wrote to memory of 2696 2328 Jeidob32.exe 30 PID 2328 wrote to memory of 2696 2328 Jeidob32.exe 30 PID 2696 wrote to memory of 2808 2696 Jmplqp32.exe 31 PID 2696 wrote to memory of 2808 2696 Jmplqp32.exe 31 PID 2696 wrote to memory of 2808 2696 Jmplqp32.exe 31 PID 2696 wrote to memory of 2808 2696 Jmplqp32.exe 31 PID 2808 wrote to memory of 2836 2808 Jekaeb32.exe 32 PID 2808 wrote to memory of 2836 2808 Jekaeb32.exe 32 PID 2808 wrote to memory of 2836 2808 Jekaeb32.exe 32 PID 2808 wrote to memory of 2836 2808 Jekaeb32.exe 32 PID 2836 wrote to memory of 2752 2836 Jgjman32.exe 33 PID 2836 wrote to memory of 2752 2836 Jgjman32.exe 33 PID 2836 wrote to memory of 2752 2836 Jgjman32.exe 33 PID 2836 wrote to memory of 2752 2836 Jgjman32.exe 33 PID 2752 wrote to memory of 2632 2752 Jennjblp.exe 34 PID 2752 wrote to memory of 2632 2752 Jennjblp.exe 34 PID 2752 wrote to memory of 2632 2752 Jennjblp.exe 34 PID 2752 wrote to memory of 2632 2752 Jennjblp.exe 34 PID 2632 wrote to memory of 2052 2632 Jiiikq32.exe 35 PID 2632 wrote to memory of 2052 2632 Jiiikq32.exe 35 PID 2632 wrote to memory of 2052 2632 Jiiikq32.exe 35 PID 2632 wrote to memory of 2052 2632 Jiiikq32.exe 35 PID 2052 wrote to memory of 2144 2052 Jbandfkj.exe 36 PID 2052 wrote to memory of 2144 2052 Jbandfkj.exe 36 PID 2052 wrote to memory of 2144 2052 Jbandfkj.exe 36 PID 2052 wrote to memory of 2144 2052 Jbandfkj.exe 36 PID 2144 wrote to memory of 1496 2144 Jccjln32.exe 37 PID 2144 wrote to memory of 1496 2144 Jccjln32.exe 37 PID 2144 wrote to memory of 1496 2144 Jccjln32.exe 37 PID 2144 wrote to memory of 1496 2144 Jccjln32.exe 37 PID 1496 wrote to memory of 3048 1496 Knhoig32.exe 38 PID 1496 wrote to memory of 3048 1496 Knhoig32.exe 38 PID 1496 wrote to memory of 3048 1496 Knhoig32.exe 38 PID 1496 wrote to memory of 3048 1496 Knhoig32.exe 38 PID 3048 wrote to memory of 1088 3048 Kebgea32.exe 39 PID 3048 wrote to memory of 1088 3048 Kebgea32.exe 39 PID 3048 wrote to memory of 1088 3048 Kebgea32.exe 39 PID 3048 wrote to memory of 1088 3048 Kebgea32.exe 39 PID 1088 wrote to memory of 2920 1088 Kfccmini.exe 40 PID 1088 wrote to memory of 2920 1088 Kfccmini.exe 40 PID 1088 wrote to memory of 2920 1088 Kfccmini.exe 40 PID 1088 wrote to memory of 2920 1088 Kfccmini.exe 40 PID 2920 wrote to memory of 2100 2920 Kmnljc32.exe 41 PID 2920 wrote to memory of 2100 2920 Kmnljc32.exe 41 PID 2920 wrote to memory of 2100 2920 Kmnljc32.exe 41 PID 2920 wrote to memory of 2100 2920 Kmnljc32.exe 41 PID 2100 wrote to memory of 1208 2100 Kgcpgl32.exe 42 PID 2100 wrote to memory of 1208 2100 Kgcpgl32.exe 42 PID 2100 wrote to memory of 1208 2100 Kgcpgl32.exe 42 PID 2100 wrote to memory of 1208 2100 Kgcpgl32.exe 42 PID 1208 wrote to memory of 2976 1208 Kidlodkj.exe 43 PID 1208 wrote to memory of 2976 1208 Kidlodkj.exe 43 PID 1208 wrote to memory of 2976 1208 Kidlodkj.exe 43 PID 1208 wrote to memory of 2976 1208 Kidlodkj.exe 43 PID 2976 wrote to memory of 2164 2976 Kcjqlm32.exe 44 PID 2976 wrote to memory of 2164 2976 Kcjqlm32.exe 44 PID 2976 wrote to memory of 2164 2976 Kcjqlm32.exe 44 PID 2976 wrote to memory of 2164 2976 Kcjqlm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe"C:\Users\Admin\AppData\Local\Temp\d7489c964a4a00a3b38d443f951125bd79dd57f7c9fe7cfdd10bdfc38ae55f89N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Jeidob32.exeC:\Windows\system32\Jeidob32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Jekaeb32.exeC:\Windows\system32\Jekaeb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jgjman32.exeC:\Windows\system32\Jgjman32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jennjblp.exeC:\Windows\system32\Jennjblp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Knhoig32.exeC:\Windows\system32\Knhoig32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Kebgea32.exeC:\Windows\system32\Kebgea32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kfccmini.exeC:\Windows\system32\Kfccmini.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Kmnljc32.exeC:\Windows\system32\Kmnljc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Kidlodkj.exeC:\Windows\system32\Kidlodkj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Kfhmhi32.exeC:\Windows\system32\Kfhmhi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Kclmbm32.exeC:\Windows\system32\Kclmbm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Kmdbkbpn.exeC:\Windows\system32\Kmdbkbpn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Lkolmk32.exeC:\Windows\system32\Lkolmk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Llnhgn32.exeC:\Windows\system32\Llnhgn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe34⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Lgjfmlkm.exeC:\Windows\system32\Lgjfmlkm.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mapjjdjb.exeC:\Windows\system32\Mapjjdjb.exe36⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Mcafbm32.exeC:\Windows\system32\Mcafbm32.exe37⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mlikkbga.exeC:\Windows\system32\Mlikkbga.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Mdqclpgd.exeC:\Windows\system32\Mdqclpgd.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Mcccglnn.exeC:\Windows\system32\Mcccglnn.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe41⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe43⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Miphjf32.exeC:\Windows\system32\Miphjf32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe45⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Mchmblji.exeC:\Windows\system32\Mchmblji.exe46⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe48⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe49⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe51⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe52⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe53⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe54⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe55⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe56⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe57⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ngolgn32.exeC:\Windows\system32\Ngolgn32.exe61⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe62⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe63⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Njpdiifd.exeC:\Windows\system32\Njpdiifd.exe65⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nnkqih32.exeC:\Windows\system32\Nnkqih32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe67⤵PID:2268
-
C:\Windows\SysWOW64\Nchiao32.exeC:\Windows\system32\Nchiao32.exe68⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe69⤵PID:2736
-
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe70⤵PID:2604
-
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe72⤵PID:3068
-
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe73⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe74⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe75⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe76⤵PID:3016
-
C:\Windows\SysWOW64\Ofkoijhc.exeC:\Windows\system32\Ofkoijhc.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Ohikeegf.exeC:\Windows\system32\Ohikeegf.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe79⤵PID:1840
-
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe80⤵PID:2964
-
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe81⤵PID:888
-
C:\Windows\SysWOW64\Odpljf32.exeC:\Windows\system32\Odpljf32.exe82⤵PID:1528
-
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe84⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe86⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe87⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe88⤵PID:3040
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe89⤵PID:1764
-
C:\Windows\SysWOW64\Oiqaed32.exeC:\Windows\system32\Oiqaed32.exe90⤵PID:1592
-
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe91⤵PID:1512
-
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe93⤵PID:2480
-
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe94⤵PID:2004
-
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe95⤵PID:1768
-
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe96⤵PID:1656
-
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe97⤵PID:1748
-
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe98⤵PID:2224
-
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe99⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe100⤵PID:2040
-
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe101⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe102⤵PID:1372
-
C:\Windows\SysWOW64\Pildih32.exeC:\Windows\system32\Pildih32.exe103⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe105⤵PID:1544
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe106⤵PID:2996
-
C:\Windows\SysWOW64\Pinqoh32.exeC:\Windows\system32\Pinqoh32.exe107⤵PID:2280
-
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe108⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe109⤵PID:860
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe110⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe111⤵PID:620
-
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe112⤵PID:1652
-
C:\Windows\SysWOW64\Qfdnnlbc.exeC:\Windows\system32\Qfdnnlbc.exe113⤵PID:2516
-
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe114⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe115⤵
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe116⤵PID:2020
-
C:\Windows\SysWOW64\Abkncmhh.exeC:\Windows\system32\Abkncmhh.exe117⤵PID:2092
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe119⤵PID:2584
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe120⤵PID:2856
-
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe121⤵
- Modifies registry class
PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-