Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 21:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe
-
Size
512KB
-
MD5
29f7079d17cc7dd5cf0a703ef3ef9c87
-
SHA1
72f9343d4567a41b8bcb445aab9323f1864ad3c5
-
SHA256
52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0
-
SHA512
a153f3bcca500fc67935f02db7f30f6044673ae3c9ba7de9b545480de27e0330e4115ea5afd1061734e1290838eabb7e3fc8e2bcc4a9b7f7515e2b5655e2a933
-
SSDEEP
12288:YRy400GyXu1jGG1wsGeBgRTGAzciETdqvZNemWrsiLk6mqgSg9:2y4PGyXsGG1wsLUT3Iipr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnhpdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkalcdao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nladco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofafgipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oielnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainkcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcnnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejabqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poacighp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afeaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipqicdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajnqphhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbqcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnimpcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpebidam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcemnopj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlacfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegkfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggbieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfnoegaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnogfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioefdpne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhninb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjddgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkkim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpicbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emgdmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfnkmei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhpejbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igeddb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdcofop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjhmipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adiaommc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlnhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfpjc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2280 Hqnjek32.exe 2828 Hclfag32.exe 2788 Ibacbcgg.exe 2676 Imggplgm.exe 2560 Injqmdki.exe 2296 Iipejmko.exe 2468 Igebkiof.exe 2420 Ieibdnnp.exe 2736 Iclbpj32.exe 2936 Jjfkmdlg.exe 1768 Jcqlkjae.exe 1128 Jjjdhc32.exe 2100 Jllqplnp.exe 1936 Jcciqi32.exe 1800 Jipaip32.exe 2160 Jpjifjdg.exe 1916 Jbhebfck.exe 992 Jibnop32.exe 896 Jlqjkk32.exe 1872 Kbjbge32.exe 2396 Keioca32.exe 2084 Khgkpl32.exe 1632 Kjeglh32.exe 2428 Koaclfgl.exe 2516 Kapohbfp.exe 2644 Kdnkdmec.exe 2352 Kocpbfei.exe 1544 Khldkllj.exe 2656 Koflgf32.exe 2652 Kdbepm32.exe 2552 Kfaalh32.exe 2220 Kipmhc32.exe 1780 Kageia32.exe 1964 Kdeaelok.exe 2224 Kgcnahoo.exe 2604 Lmmfnb32.exe 2584 Lplbjm32.exe 1316 Lidgcclp.exe 3036 Lcmklh32.exe 2916 Mainndaq.exe 2192 Mdgkjopd.exe 2124 Mgegfk32.exe 820 Mnpobefe.exe 2340 Mdigoo32.exe 2760 Mghckj32.exe 1568 Mjfphf32.exe 2564 Mpphdpcf.exe 3048 Mgjpaj32.exe 2844 Mlgiiaij.exe 880 Mcaafk32.exe 2952 Mfpmbf32.exe 2400 Mhninb32.exe 1852 Nqeapo32.exe 1504 Nccnlk32.exe 1932 Nfbjhf32.exe 2136 Njmfhe32.exe 1604 Nllbdp32.exe 1720 Ncfjajma.exe 1516 Nbhkmg32.exe 2988 Nmnojp32.exe 2328 Nomkfk32.exe 2980 Nnokahip.exe 2544 Nffccejb.exe 3000 Ndicnb32.exe -
Loads dropped DLL 64 IoCs
pid Process 3032 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe 3032 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe 2280 Hqnjek32.exe 2280 Hqnjek32.exe 2828 Hclfag32.exe 2828 Hclfag32.exe 2788 Ibacbcgg.exe 2788 Ibacbcgg.exe 2676 Imggplgm.exe 2676 Imggplgm.exe 2560 Injqmdki.exe 2560 Injqmdki.exe 2296 Iipejmko.exe 2296 Iipejmko.exe 2468 Igebkiof.exe 2468 Igebkiof.exe 2420 Ieibdnnp.exe 2420 Ieibdnnp.exe 2736 Iclbpj32.exe 2736 Iclbpj32.exe 2936 Jjfkmdlg.exe 2936 Jjfkmdlg.exe 1768 Jcqlkjae.exe 1768 Jcqlkjae.exe 1128 Jjjdhc32.exe 1128 Jjjdhc32.exe 2100 Jllqplnp.exe 2100 Jllqplnp.exe 1936 Jcciqi32.exe 1936 Jcciqi32.exe 1800 Jipaip32.exe 1800 Jipaip32.exe 2160 Jpjifjdg.exe 2160 Jpjifjdg.exe 1916 Jbhebfck.exe 1916 Jbhebfck.exe 992 Jibnop32.exe 992 Jibnop32.exe 896 Jlqjkk32.exe 896 Jlqjkk32.exe 1872 Kbjbge32.exe 1872 Kbjbge32.exe 2396 Keioca32.exe 2396 Keioca32.exe 2084 Khgkpl32.exe 2084 Khgkpl32.exe 1632 Kjeglh32.exe 1632 Kjeglh32.exe 2428 Koaclfgl.exe 2428 Koaclfgl.exe 2516 Kapohbfp.exe 2516 Kapohbfp.exe 2644 Kdnkdmec.exe 2644 Kdnkdmec.exe 2352 Kocpbfei.exe 2352 Kocpbfei.exe 1544 Khldkllj.exe 1544 Khldkllj.exe 2656 Koflgf32.exe 2656 Koflgf32.exe 2652 Kdbepm32.exe 2652 Kdbepm32.exe 2552 Kfaalh32.exe 2552 Kfaalh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fobkfqpo.exe Fpokjd32.exe File opened for modification C:\Windows\SysWOW64\Jpmooind.exe Jajocl32.exe File created C:\Windows\SysWOW64\Ofoebc32.dll Cncolfcl.exe File opened for modification C:\Windows\SysWOW64\Omnmal32.exe Onkmfofg.exe File created C:\Windows\SysWOW64\Qjddgj32.exe Phehko32.exe File created C:\Windows\SysWOW64\Lkgifd32.exe Lglmefcg.exe File created C:\Windows\SysWOW64\Nnbjpqoa.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Cpcpnokb.dll Icbipe32.exe File opened for modification C:\Windows\SysWOW64\Gpgjnbnl.exe Gminbfoh.exe File created C:\Windows\SysWOW64\Oellihpf.dll Qjdgpcmd.exe File created C:\Windows\SysWOW64\Jacibm32.exe Jbphgpfg.exe File created C:\Windows\SysWOW64\Comhgndh.dll Ogdhik32.exe File created C:\Windows\SysWOW64\Gjlpei32.dll Ilemce32.exe File opened for modification C:\Windows\SysWOW64\Oqgjdbpi.exe Omlncc32.exe File created C:\Windows\SysWOW64\Lophacfl.exe Lhfpdi32.exe File opened for modification C:\Windows\SysWOW64\Ohmoco32.exe Odacbpee.exe File created C:\Windows\SysWOW64\Lebbqn32.dll Bogljj32.exe File opened for modification C:\Windows\SysWOW64\Mmndfnpl.exe Mkohjbah.exe File created C:\Windows\SysWOW64\Aejglo32.exe Abkkpd32.exe File opened for modification C:\Windows\SysWOW64\Blaobmkq.exe Biccfalm.exe File created C:\Windows\SysWOW64\Hndnigle.dll Mlmoilni.exe File opened for modification C:\Windows\SysWOW64\Plhaeofp.exe Penihe32.exe File created C:\Windows\SysWOW64\Hkobdolo.dll Aaklmhak.exe File opened for modification C:\Windows\SysWOW64\Ebialmjb.exe Enneln32.exe File created C:\Windows\SysWOW64\Ingmmn32.exe Igmepdbc.exe File created C:\Windows\SysWOW64\Ddlffnae.dll Jqbbhg32.exe File created C:\Windows\SysWOW64\Gjhjgq32.dll Kepgmh32.exe File opened for modification C:\Windows\SysWOW64\Pgcnnh32.exe Pchbmigj.exe File created C:\Windows\SysWOW64\Kapohbfp.exe Koaclfgl.exe File created C:\Windows\SysWOW64\Kdnkdmec.exe Kapohbfp.exe File created C:\Windows\SysWOW64\Ibibfa32.exe Icfbkded.exe File created C:\Windows\SysWOW64\Jfekec32.exe Jcfoihhp.exe File created C:\Windows\SysWOW64\Dmcfngde.exe Dnpebj32.exe File created C:\Windows\SysWOW64\Djicmk32.exe Dfngll32.exe File created C:\Windows\SysWOW64\Pfqlkfoc.exe Pcbookpp.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Ajldkhjh.exe File opened for modification C:\Windows\SysWOW64\Cgjgol32.exe Chggdoee.exe File created C:\Windows\SysWOW64\Akomon32.dll Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Jinfli32.exe Jjkfqlpf.exe File created C:\Windows\SysWOW64\Monmegdp.dll Mkohjbah.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jcciqi32.exe File created C:\Windows\SysWOW64\Okipkm32.dll Gpacogjm.exe File created C:\Windows\SysWOW64\Naegmabc.exe Nnjklb32.exe File created C:\Windows\SysWOW64\Ajcdki32.dll Onldqejb.exe File created C:\Windows\SysWOW64\Qhkkim32.exe Qdpohodn.exe File opened for modification C:\Windows\SysWOW64\Dkeoongd.exe Dlboca32.exe File created C:\Windows\SysWOW64\Eifobe32.exe Empomd32.exe File opened for modification C:\Windows\SysWOW64\Bckefnki.exe Booiep32.exe File opened for modification C:\Windows\SysWOW64\Fpokjd32.exe Fhhbif32.exe File created C:\Windows\SysWOW64\Dblknlpo.dll Hhoeii32.exe File created C:\Windows\SysWOW64\Nhkhml32.dll Lilfgq32.exe File created C:\Windows\SysWOW64\Oidhelof.dll Fappgflg.exe File created C:\Windows\SysWOW64\Emjhmipi.exe Einlmkhp.exe File created C:\Windows\SysWOW64\Jmdaehpn.dll Adiaommc.exe File created C:\Windows\SysWOW64\Ghidcceo.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Hkogpn32.exe Hchoop32.exe File created C:\Windows\SysWOW64\Dghjkpck.exe Doabjbci.exe File opened for modification C:\Windows\SysWOW64\Maoalb32.exe Mopdpg32.exe File opened for modification C:\Windows\SysWOW64\Bhmmcjjd.exe Bpfebmia.exe File created C:\Windows\SysWOW64\Cgbfcjag.exe Caenkc32.exe File created C:\Windows\SysWOW64\Qanmcdlm.exe Qjddgj32.exe File opened for modification C:\Windows\SysWOW64\Pchbmigj.exe Pajeanhf.exe File created C:\Windows\SysWOW64\Celpqbon.exe Capdpcge.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcfcddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqeapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhglop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheeif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpapcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einlmkhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlpdbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdldknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbmcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihiabfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeghng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapgblob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdndeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjpdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqmcgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celpqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklepmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgodcich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppopja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmkne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfcjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpdmfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odqlhjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acadchoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enneln32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pljnkodm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfoihhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfjildbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnkaj32.dll" Klfmijae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceakpbh.dll" Clhecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Cgbfcjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll" Eclcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jipcbidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaphegf.dll" Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll" Chhpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omlncc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojpomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeghng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeegim32.dll" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdcgo32.dll" Ncnjeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokalbod.dll" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhcpnk.dll" Ojkhjabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afqnmm32.dll" Qpamoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copblmbb.dll" Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclgkc32.dll" Penihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfjildbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqncib32.dll" Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emokgnoa.dll" Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hagianlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomklqkm.dll" Jibpghbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaekljjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll" Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbafalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofoebc32.dll" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknnijed.dll" Mebpakbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monmegdp.dll" Mkohjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emeobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bkcfjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmndfnpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpmjcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaokbi32.dll" Gfcopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aedlhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akfnkmei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnjpcle.dll" Baclaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbibolf.dll" Mgegfk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2280 3032 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe 30 PID 3032 wrote to memory of 2280 3032 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe 30 PID 3032 wrote to memory of 2280 3032 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe 30 PID 3032 wrote to memory of 2280 3032 52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe 30 PID 2280 wrote to memory of 2828 2280 Hqnjek32.exe 31 PID 2280 wrote to memory of 2828 2280 Hqnjek32.exe 31 PID 2280 wrote to memory of 2828 2280 Hqnjek32.exe 31 PID 2280 wrote to memory of 2828 2280 Hqnjek32.exe 31 PID 2828 wrote to memory of 2788 2828 Hclfag32.exe 32 PID 2828 wrote to memory of 2788 2828 Hclfag32.exe 32 PID 2828 wrote to memory of 2788 2828 Hclfag32.exe 32 PID 2828 wrote to memory of 2788 2828 Hclfag32.exe 32 PID 2788 wrote to memory of 2676 2788 Ibacbcgg.exe 33 PID 2788 wrote to memory of 2676 2788 Ibacbcgg.exe 33 PID 2788 wrote to memory of 2676 2788 Ibacbcgg.exe 33 PID 2788 wrote to memory of 2676 2788 Ibacbcgg.exe 33 PID 2676 wrote to memory of 2560 2676 Imggplgm.exe 34 PID 2676 wrote to memory of 2560 2676 Imggplgm.exe 34 PID 2676 wrote to memory of 2560 2676 Imggplgm.exe 34 PID 2676 wrote to memory of 2560 2676 Imggplgm.exe 34 PID 2560 wrote to memory of 2296 2560 Injqmdki.exe 35 PID 2560 wrote to memory of 2296 2560 Injqmdki.exe 35 PID 2560 wrote to memory of 2296 2560 Injqmdki.exe 35 PID 2560 wrote to memory of 2296 2560 Injqmdki.exe 35 PID 2296 wrote to memory of 2468 2296 Iipejmko.exe 36 PID 2296 wrote to memory of 2468 2296 Iipejmko.exe 36 PID 2296 wrote to memory of 2468 2296 Iipejmko.exe 36 PID 2296 wrote to memory of 2468 2296 Iipejmko.exe 36 PID 2468 wrote to memory of 2420 2468 Igebkiof.exe 37 PID 2468 wrote to memory of 2420 2468 Igebkiof.exe 37 PID 2468 wrote to memory of 2420 2468 Igebkiof.exe 37 PID 2468 wrote to memory of 2420 2468 Igebkiof.exe 37 PID 2420 wrote to memory of 2736 2420 Ieibdnnp.exe 38 PID 2420 wrote to memory of 2736 2420 Ieibdnnp.exe 38 PID 2420 wrote to memory of 2736 2420 Ieibdnnp.exe 38 PID 2420 wrote to memory of 2736 2420 Ieibdnnp.exe 38 PID 2736 wrote to memory of 2936 2736 Iclbpj32.exe 39 PID 2736 wrote to memory of 2936 2736 Iclbpj32.exe 39 PID 2736 wrote to memory of 2936 2736 Iclbpj32.exe 39 PID 2736 wrote to memory of 2936 2736 Iclbpj32.exe 39 PID 2936 wrote to memory of 1768 2936 Jjfkmdlg.exe 40 PID 2936 wrote to memory of 1768 2936 Jjfkmdlg.exe 40 PID 2936 wrote to memory of 1768 2936 Jjfkmdlg.exe 40 PID 2936 wrote to memory of 1768 2936 Jjfkmdlg.exe 40 PID 1768 wrote to memory of 1128 1768 Jcqlkjae.exe 41 PID 1768 wrote to memory of 1128 1768 Jcqlkjae.exe 41 PID 1768 wrote to memory of 1128 1768 Jcqlkjae.exe 41 PID 1768 wrote to memory of 1128 1768 Jcqlkjae.exe 41 PID 1128 wrote to memory of 2100 1128 Jjjdhc32.exe 42 PID 1128 wrote to memory of 2100 1128 Jjjdhc32.exe 42 PID 1128 wrote to memory of 2100 1128 Jjjdhc32.exe 42 PID 1128 wrote to memory of 2100 1128 Jjjdhc32.exe 42 PID 2100 wrote to memory of 1936 2100 Jllqplnp.exe 43 PID 2100 wrote to memory of 1936 2100 Jllqplnp.exe 43 PID 2100 wrote to memory of 1936 2100 Jllqplnp.exe 43 PID 2100 wrote to memory of 1936 2100 Jllqplnp.exe 43 PID 1936 wrote to memory of 1800 1936 Jcciqi32.exe 44 PID 1936 wrote to memory of 1800 1936 Jcciqi32.exe 44 PID 1936 wrote to memory of 1800 1936 Jcciqi32.exe 44 PID 1936 wrote to memory of 1800 1936 Jcciqi32.exe 44 PID 1800 wrote to memory of 2160 1800 Jipaip32.exe 45 PID 1800 wrote to memory of 2160 1800 Jipaip32.exe 45 PID 1800 wrote to memory of 2160 1800 Jipaip32.exe 45 PID 1800 wrote to memory of 2160 1800 Jipaip32.exe 45
Processes
-
C:\Windows\System32\ycnjns.exe"C:\Windows\System32\ycnjns.exe"1⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\1317445388\zmstage.exeC:\Users\Admin\AppData\Local\Temp\1317445388\zmstage.exe2⤵PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe"C:\Users\Admin\AppData\Local\Temp\52622d98f2b55a2019306b9e3e64030abcdbc07f27b9b06542b0656e4243dbd0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ibacbcgg.exeC:\Windows\system32\Ibacbcgg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Imggplgm.exeC:\Windows\system32\Imggplgm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Injqmdki.exeC:\Windows\system32\Injqmdki.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Koflgf32.exeC:\Windows\system32\Koflgf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe35⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe36⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe37⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe38⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe39⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe41⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe44⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Mdigoo32.exeC:\Windows\system32\Mdigoo32.exe45⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe46⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe47⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe48⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe49⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe50⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe51⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe52⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe55⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe56⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe57⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe58⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe59⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe60⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe61⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe62⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe63⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe64⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe65⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe66⤵PID:2260
-
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe67⤵PID:2800
-
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe68⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe69⤵PID:1808
-
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe70⤵PID:2864
-
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe71⤵PID:2292
-
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe72⤵PID:2476
-
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe73⤵PID:848
-
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe74⤵PID:2792
-
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe78⤵PID:2920
-
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe79⤵PID:1520
-
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe80⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe81⤵PID:292
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe82⤵PID:2176
-
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:688 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe84⤵PID:2388
-
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe86⤵PID:320
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe87⤵PID:2336
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe88⤵PID:1676
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe90⤵PID:2804
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe91⤵PID:2484
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe92⤵PID:2956
-
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe93⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe94⤵PID:2548
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe95⤵PID:1636
-
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe96⤵PID:2856
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe97⤵PID:2960
-
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe98⤵PID:2508
-
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe99⤵PID:1660
-
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe100⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe102⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe104⤵PID:1980
-
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe105⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe106⤵PID:2696
-
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe107⤵PID:1320
-
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe108⤵PID:2248
-
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe109⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe110⤵PID:2196
-
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe111⤵PID:2924
-
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe113⤵PID:2332
-
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe114⤵PID:2216
-
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe116⤵PID:264
-
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe117⤵PID:2316
-
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe119⤵PID:2964
-
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe120⤵PID:2596
-
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe121⤵PID:2780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-