Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 22:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91e181a27975e828f4261b7bc90d0330N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
91e181a27975e828f4261b7bc90d0330N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
91e181a27975e828f4261b7bc90d0330N.exe
-
Size
64KB
-
MD5
91e181a27975e828f4261b7bc90d0330
-
SHA1
2e220de3aaa7be494f460664ea957faf3ad2fa34
-
SHA256
6e1d26131a06d12634b0f6b1e701933617608ceb7a0e6ef9fa65282dbdb94c3b
-
SHA512
5b24516a33271fd5e64a95757af8d2a94e96582292d06a74c28cab18cc3cd5174faf5e12a645d5fb8506ab424c33af3d9ef5343c98fd7dd03a7a3263e1cca1e9
-
SSDEEP
1536:XRGLmctSVYPIqpU/FUNdEun6Y4wUXruCHcpzt/Idn:XRMxEwIqe/QEMjpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephhmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcihdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedokpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanfgofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoocmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihlhagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjpmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mliibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcaiggo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihaldgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhlih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhehmkqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figoefkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllpclnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkpdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cincaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmahmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkknm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqimoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmggcmgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhcokmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngppgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonjpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaangfjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdjpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgdjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joepjokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhhma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihlhagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqchi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pieobaiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgdjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deljfqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkbqcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhjijpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijbnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiamql32.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Phgfko32.exe 2748 Pkebgj32.exe 2888 Papkcd32.exe 2780 Ppegdapd.exe 2688 Pgamgken.exe 1160 Qkcbpn32.exe 2408 Aaogbh32.exe 3028 Aocgll32.exe 2632 Aqgqid32.exe 1100 Aqimoc32.exe 1668 Aonjpp32.exe 2192 Boqgep32.exe 2488 Biikne32.exe 2000 Bebiifka.exe 952 Cakfcfoc.exe 3056 Ckajqo32.exe 1108 Cfmhfm32.exe 1412 Cfoellgb.exe 1976 Domffn32.exe 2076 Danohi32.exe 2124 Dkhpfo32.exe 1524 Dabicikf.exe 2296 Edenjc32.exe 2268 Elqcnfdp.exe 2776 Epnldd32.exe 2468 Ehjqif32.exe 2680 Elgioe32.exe 2536 Fcaaloed.exe 2168 Fdekigip.exe 2392 Faikbkhj.exe 1636 Fakhhk32.exe 2276 Fghppa32.exe 1088 Gndebkii.exe 1348 Gohnpcmd.exe 2012 Ghqchi32.exe 2212 Gkoodd32.exe 2200 Gdgcnj32.exe 2308 Gomhkb32.exe 2228 Gielchpp.exe 1068 Hqpahkmj.exe 1528 Hjieapck.exe 1552 Hcajjf32.exe 1720 Haejcj32.exe 1936 Hgobpd32.exe 656 Hfdpaqej.exe 2396 Hbkpfa32.exe 880 Ibmmkaik.exe 2252 Iigehk32.exe 2872 Iijbnkne.exe 2960 Ipcjje32.exe 2824 Iilocklc.exe 2656 Iniglajj.exe 2188 Ihaldgak.exe 2660 Jdhlih32.exe 1344 Jjbdfbnl.exe 2608 Jpomnilc.exe 2936 Jfkbqcam.exe 1468 Jlhjijpe.exe 2284 Jmggcmgg.exe 1776 Jbdokceo.exe 2384 Kaillp32.exe 1248 Kciifc32.exe 1884 Kkdnke32.exe 2184 Kanfgofa.exe -
Loads dropped DLL 64 IoCs
pid Process 612 91e181a27975e828f4261b7bc90d0330N.exe 612 91e181a27975e828f4261b7bc90d0330N.exe 2332 Phgfko32.exe 2332 Phgfko32.exe 2748 Pkebgj32.exe 2748 Pkebgj32.exe 2888 Papkcd32.exe 2888 Papkcd32.exe 2780 Ppegdapd.exe 2780 Ppegdapd.exe 2688 Pgamgken.exe 2688 Pgamgken.exe 1160 Qkcbpn32.exe 1160 Qkcbpn32.exe 2408 Aaogbh32.exe 2408 Aaogbh32.exe 3028 Aocgll32.exe 3028 Aocgll32.exe 2632 Aqgqid32.exe 2632 Aqgqid32.exe 1100 Aqimoc32.exe 1100 Aqimoc32.exe 1668 Aonjpp32.exe 1668 Aonjpp32.exe 2192 Boqgep32.exe 2192 Boqgep32.exe 2488 Biikne32.exe 2488 Biikne32.exe 2000 Bebiifka.exe 2000 Bebiifka.exe 952 Cakfcfoc.exe 952 Cakfcfoc.exe 3056 Ckajqo32.exe 3056 Ckajqo32.exe 1108 Cfmhfm32.exe 1108 Cfmhfm32.exe 1412 Cfoellgb.exe 1412 Cfoellgb.exe 1976 Domffn32.exe 1976 Domffn32.exe 2076 Danohi32.exe 2076 Danohi32.exe 2124 Dkhpfo32.exe 2124 Dkhpfo32.exe 1524 Dabicikf.exe 1524 Dabicikf.exe 2296 Edenjc32.exe 2296 Edenjc32.exe 2268 Elqcnfdp.exe 2268 Elqcnfdp.exe 2776 Epnldd32.exe 2776 Epnldd32.exe 2468 Ehjqif32.exe 2468 Ehjqif32.exe 2680 Elgioe32.exe 2680 Elgioe32.exe 2536 Fcaaloed.exe 2536 Fcaaloed.exe 2168 Fdekigip.exe 2168 Fdekigip.exe 2392 Faikbkhj.exe 2392 Faikbkhj.exe 1636 Fakhhk32.exe 1636 Fakhhk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aqimoc32.exe Aqgqid32.exe File opened for modification C:\Windows\SysWOW64\Dfegjknm.exe Dedkbb32.exe File created C:\Windows\SysWOW64\Iclfccmq.exe Hefibg32.exe File created C:\Windows\SysWOW64\Mbbkabdh.exe Llfcik32.exe File created C:\Windows\SysWOW64\Pieobaiq.exe Oegflcbj.exe File created C:\Windows\SysWOW64\Fbjpjphf.dll Gkiooocb.exe File created C:\Windows\SysWOW64\Hmighemp.exe Gjcekj32.exe File opened for modification C:\Windows\SysWOW64\Ifloeo32.exe Iapfmg32.exe File created C:\Windows\SysWOW64\Nffcebdd.exe Nqijmkfm.exe File created C:\Windows\SysWOW64\Ibhmmobd.dll Pbcfie32.exe File created C:\Windows\SysWOW64\Necqbp32.exe Ncbdjhnf.exe File created C:\Windows\SysWOW64\Pbcfie32.exe Pmgnan32.exe File created C:\Windows\SysWOW64\Npdlphmj.dll Hqpahkmj.exe File opened for modification C:\Windows\SysWOW64\Ebghkjjc.exe Epgoio32.exe File opened for modification C:\Windows\SysWOW64\Mojaceln.exe Mjmiknng.exe File created C:\Windows\SysWOW64\Ollncgjq.exe Obdjjb32.exe File created C:\Windows\SysWOW64\Danohi32.exe Domffn32.exe File opened for modification C:\Windows\SysWOW64\Epgoio32.exe Dogbolep.exe File created C:\Windows\SysWOW64\Hgbhibio.exe Hmighemp.exe File created C:\Windows\SysWOW64\Kekkkm32.exe Kblooa32.exe File created C:\Windows\SysWOW64\Bdkgph32.dll Ohkpdj32.exe File created C:\Windows\SysWOW64\Ppcmhj32.exe Pfjiod32.exe File opened for modification C:\Windows\SysWOW64\Iigehk32.exe Ibmmkaik.exe File created C:\Windows\SysWOW64\Flkohc32.exe Fgnfpm32.exe File opened for modification C:\Windows\SysWOW64\Gpfggeai.exe Gkiooocb.exe File created C:\Windows\SysWOW64\Iapfmg32.exe Iclfccmq.exe File created C:\Windows\SysWOW64\Qgckhoib.dll Kciifc32.exe File created C:\Windows\SysWOW64\Dlfbck32.exe Deljfqmf.exe File created C:\Windows\SysWOW64\Koiohb32.dll Iapfmg32.exe File created C:\Windows\SysWOW64\Jpomnilc.exe Jjbdfbnl.exe File opened for modification C:\Windows\SysWOW64\Lfingaaf.exe Lpmeojbo.exe File created C:\Windows\SysWOW64\Dflhfeng.dll Lfingaaf.exe File created C:\Windows\SysWOW64\Allben32.dll Hgbhibio.exe File created C:\Windows\SysWOW64\Bghpdqdc.dll Nilpmo32.exe File created C:\Windows\SysWOW64\Pnqligpm.dll Pgbejj32.exe File opened for modification C:\Windows\SysWOW64\Pdjpmi32.exe Ohcohh32.exe File opened for modification C:\Windows\SysWOW64\Aqgqid32.exe Aocgll32.exe File created C:\Windows\SysWOW64\Pnflkl32.dll Elqcnfdp.exe File opened for modification C:\Windows\SysWOW64\Ppogok32.exe Pieobaiq.exe File opened for modification C:\Windows\SysWOW64\Jlegic32.exe Jnafop32.exe File opened for modification C:\Windows\SysWOW64\Gohnpcmd.exe Gndebkii.exe File created C:\Windows\SysWOW64\Fejjah32.exe Flbehbqm.exe File opened for modification C:\Windows\SysWOW64\Gkiooocb.exe Gemfghek.exe File created C:\Windows\SysWOW64\Aonjpp32.exe Aqimoc32.exe File created C:\Windows\SysWOW64\Kpeonkig.exe Kgmkef32.exe File opened for modification C:\Windows\SysWOW64\Pgamgken.exe Ppegdapd.exe File created C:\Windows\SysWOW64\Hqpahkmj.exe Gielchpp.exe File created C:\Windows\SysWOW64\Lfingaaf.exe Lpmeojbo.exe File created C:\Windows\SysWOW64\Nqgngk32.exe Nkjeod32.exe File created C:\Windows\SysWOW64\Plljbkml.exe Pbcfie32.exe File created C:\Windows\SysWOW64\Boqgep32.exe Aonjpp32.exe File created C:\Windows\SysWOW64\Jpalpp32.dll Nbljfdoh.exe File opened for modification C:\Windows\SysWOW64\Pgbejj32.exe Pkkeeikj.exe File opened for modification C:\Windows\SysWOW64\Gnmdfi32.exe Gcgpiq32.exe File created C:\Windows\SysWOW64\Kfenjq32.exe Kdgane32.exe File created C:\Windows\SysWOW64\Boifinfg.exe Bgnaekil.exe File opened for modification C:\Windows\SysWOW64\Dnfkefad.exe Dabkla32.exe File created C:\Windows\SysWOW64\Llcppm32.dll Hnecjgch.exe File created C:\Windows\SysWOW64\Ajingaej.dll Pgamgken.exe File opened for modification C:\Windows\SysWOW64\Kikpgk32.exe Koelibnh.exe File created C:\Windows\SysWOW64\Acjhln32.dll Hgobpd32.exe File created C:\Windows\SysWOW64\Oifcbl32.dll Kdgane32.exe File opened for modification C:\Windows\SysWOW64\Pnodjb32.exe Pdjpmi32.exe File created C:\Windows\SysWOW64\Cnbfkccn.exe Cqneaodd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3232 3148 WerFault.exe 319 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agilkijf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaangfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgpiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldlghhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbdpblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkknm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necqbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppogok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhehmkqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonjpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmndokg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koelibnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaillp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnagbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekblplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjpmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcbpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjieace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqneaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebiifka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniglajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggoeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnilfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmeojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiamql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoijjjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjpcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqgqid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahjgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgqpjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphipbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebghkjjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mliibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdcbjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmacgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmcmaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbkabdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifloeo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haejcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebhjc32.dll" Mnilfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icponb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noddcolo.dll" Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opihbegb.dll" Dkhpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbminqj.dll" Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqcepk32.dll" Lbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqemkl32.dll" Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmpcohl.dll" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneddmal.dll" Alncgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agilkijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adqbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldppbn.dll" Aqgqid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llomhllh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhjijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjcendg.dll" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgmbc32.dll" Epnldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iniglajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcgdjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phgfko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeon32.dll" Jlhjijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigbpkok.dll" Ghqchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbkpfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll" Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feedfo32.dll" Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahjgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edfqclni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkebgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfdpaqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flbehbqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqgqid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflhfeng.dll" Lfingaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llfcik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qieklfmg.dll" Lcieef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmolej32.dll" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdminod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbndfacf.dll" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdmpg32.dll" Cbihpbpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fghppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cakfcfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plljbkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aonjpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpomnilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcffk32.dll" Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jplinckj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 612 wrote to memory of 2332 612 91e181a27975e828f4261b7bc90d0330N.exe 29 PID 612 wrote to memory of 2332 612 91e181a27975e828f4261b7bc90d0330N.exe 29 PID 612 wrote to memory of 2332 612 91e181a27975e828f4261b7bc90d0330N.exe 29 PID 612 wrote to memory of 2332 612 91e181a27975e828f4261b7bc90d0330N.exe 29 PID 2332 wrote to memory of 2748 2332 Phgfko32.exe 30 PID 2332 wrote to memory of 2748 2332 Phgfko32.exe 30 PID 2332 wrote to memory of 2748 2332 Phgfko32.exe 30 PID 2332 wrote to memory of 2748 2332 Phgfko32.exe 30 PID 2748 wrote to memory of 2888 2748 Pkebgj32.exe 31 PID 2748 wrote to memory of 2888 2748 Pkebgj32.exe 31 PID 2748 wrote to memory of 2888 2748 Pkebgj32.exe 31 PID 2748 wrote to memory of 2888 2748 Pkebgj32.exe 31 PID 2888 wrote to memory of 2780 2888 Papkcd32.exe 32 PID 2888 wrote to memory of 2780 2888 Papkcd32.exe 32 PID 2888 wrote to memory of 2780 2888 Papkcd32.exe 32 PID 2888 wrote to memory of 2780 2888 Papkcd32.exe 32 PID 2780 wrote to memory of 2688 2780 Ppegdapd.exe 33 PID 2780 wrote to memory of 2688 2780 Ppegdapd.exe 33 PID 2780 wrote to memory of 2688 2780 Ppegdapd.exe 33 PID 2780 wrote to memory of 2688 2780 Ppegdapd.exe 33 PID 2688 wrote to memory of 1160 2688 Pgamgken.exe 34 PID 2688 wrote to memory of 1160 2688 Pgamgken.exe 34 PID 2688 wrote to memory of 1160 2688 Pgamgken.exe 34 PID 2688 wrote to memory of 1160 2688 Pgamgken.exe 34 PID 1160 wrote to memory of 2408 1160 Qkcbpn32.exe 35 PID 1160 wrote to memory of 2408 1160 Qkcbpn32.exe 35 PID 1160 wrote to memory of 2408 1160 Qkcbpn32.exe 35 PID 1160 wrote to memory of 2408 1160 Qkcbpn32.exe 35 PID 2408 wrote to memory of 3028 2408 Aaogbh32.exe 36 PID 2408 wrote to memory of 3028 2408 Aaogbh32.exe 36 PID 2408 wrote to memory of 3028 2408 Aaogbh32.exe 36 PID 2408 wrote to memory of 3028 2408 Aaogbh32.exe 36 PID 3028 wrote to memory of 2632 3028 Aocgll32.exe 37 PID 3028 wrote to memory of 2632 3028 Aocgll32.exe 37 PID 3028 wrote to memory of 2632 3028 Aocgll32.exe 37 PID 3028 wrote to memory of 2632 3028 Aocgll32.exe 37 PID 2632 wrote to memory of 1100 2632 Aqgqid32.exe 38 PID 2632 wrote to memory of 1100 2632 Aqgqid32.exe 38 PID 2632 wrote to memory of 1100 2632 Aqgqid32.exe 38 PID 2632 wrote to memory of 1100 2632 Aqgqid32.exe 38 PID 1100 wrote to memory of 1668 1100 Aqimoc32.exe 39 PID 1100 wrote to memory of 1668 1100 Aqimoc32.exe 39 PID 1100 wrote to memory of 1668 1100 Aqimoc32.exe 39 PID 1100 wrote to memory of 1668 1100 Aqimoc32.exe 39 PID 1668 wrote to memory of 2192 1668 Aonjpp32.exe 40 PID 1668 wrote to memory of 2192 1668 Aonjpp32.exe 40 PID 1668 wrote to memory of 2192 1668 Aonjpp32.exe 40 PID 1668 wrote to memory of 2192 1668 Aonjpp32.exe 40 PID 2192 wrote to memory of 2488 2192 Boqgep32.exe 41 PID 2192 wrote to memory of 2488 2192 Boqgep32.exe 41 PID 2192 wrote to memory of 2488 2192 Boqgep32.exe 41 PID 2192 wrote to memory of 2488 2192 Boqgep32.exe 41 PID 2488 wrote to memory of 2000 2488 Biikne32.exe 42 PID 2488 wrote to memory of 2000 2488 Biikne32.exe 42 PID 2488 wrote to memory of 2000 2488 Biikne32.exe 42 PID 2488 wrote to memory of 2000 2488 Biikne32.exe 42 PID 2000 wrote to memory of 952 2000 Bebiifka.exe 43 PID 2000 wrote to memory of 952 2000 Bebiifka.exe 43 PID 2000 wrote to memory of 952 2000 Bebiifka.exe 43 PID 2000 wrote to memory of 952 2000 Bebiifka.exe 43 PID 952 wrote to memory of 3056 952 Cakfcfoc.exe 44 PID 952 wrote to memory of 3056 952 Cakfcfoc.exe 44 PID 952 wrote to memory of 3056 952 Cakfcfoc.exe 44 PID 952 wrote to memory of 3056 952 Cakfcfoc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\91e181a27975e828f4261b7bc90d0330N.exe"C:\Users\Admin\AppData\Local\Temp\91e181a27975e828f4261b7bc90d0330N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Gndebkii.exeC:\Windows\system32\Gndebkii.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe35⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe37⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe39⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Hjieapck.exeC:\Windows\system32\Hjieapck.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Hcajjf32.exeC:\Windows\system32\Hcajjf32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe49⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jjbdfbnl.exeC:\Windows\system32\Jjbdfbnl.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kaillp32.exeC:\Windows\system32\Kaillp32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe66⤵PID:1716
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe67⤵PID:1820
-
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe68⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe69⤵PID:524
-
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe71⤵PID:2832
-
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe72⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe73⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe76⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe77⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe79⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe82⤵PID:1828
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe83⤵PID:700
-
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe89⤵PID:2528
-
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe90⤵PID:3004
-
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe92⤵PID:1360
-
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe93⤵
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe98⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe99⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe103⤵PID:2532
-
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe104⤵PID:3020
-
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe105⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe106⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe108⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe112⤵PID:1548
-
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe113⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe114⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe115⤵PID:3068
-
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe116⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe117⤵PID:1736
-
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe119⤵PID:980
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe120⤵PID:1996
-
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe121⤵PID:948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-