Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 14:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9a2999a61fceb6684c194e2dc1a4c60N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
c9a2999a61fceb6684c194e2dc1a4c60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c9a2999a61fceb6684c194e2dc1a4c60N.exe
-
Size
55KB
-
MD5
c9a2999a61fceb6684c194e2dc1a4c60
-
SHA1
cbc597237ba4a31b978f9665267b71c93062b3f9
-
SHA256
beee0880350e359ba6e33ac52b4538524711186864e4e53fbc94f58ca79919d7
-
SHA512
1b2b68c8818e792b1b578fb8e2c7868964ee5fa875a903818fe1f56a3955b655e7fa21a9032a36cfeca2cca1a0a27ab72c4d784e0baec7f9b686e5556cb8df38
-
SSDEEP
1536:jWft4u8j9JESBSIhCi+KLybM9XQqcqG/3qP2Lc:it4F6b/M9XxLMvc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdnmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlefhcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdjkhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcdbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abegfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnnai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacbfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiekpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgllgedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oijjka32.exe -
Executes dropped EXE 64 IoCs
pid Process 2360 Kdefgj32.exe 2484 Khabghdl.exe 2692 Kokjdb32.exe 2880 Knnkpobc.exe 2772 Kdhcli32.exe 2272 Khcomhbi.exe 2588 Lkakicam.exe 2904 Lblcfnhj.exe 800 Lqncaj32.exe 2412 Lkdhoc32.exe 964 Ljghjpfe.exe 760 Lbnpkmfg.exe 1752 Lcomce32.exe 2760 Lkfddc32.exe 2936 Lneaqn32.exe 1688 Ldoimh32.exe 1144 Lcaiiejc.exe 2984 Lgmeid32.exe 940 Lngnfnji.exe 2820 Lqejbiim.exe 2012 Lcdfnehp.exe 1352 Lgoboc32.exe 2980 Ljnnko32.exe 3032 Liqoflfh.exe 2404 Lokgcf32.exe 2260 Lcfbdd32.exe 2668 Mmogmjmn.exe 2492 Mchoid32.exe 2708 Mfglep32.exe 2688 Mmadbjkk.exe 2608 Mkddnf32.exe 2584 Mnbpjb32.exe 2628 Mfihkoal.exe 2180 Melifl32.exe 764 Mbpipp32.exe 1524 Macilmnk.exe 844 Mgmahg32.exe 1940 Mbbfep32.exe 2024 Maefamlh.exe 2816 Mjnjjbbh.exe 2332 Mnifja32.exe 560 Nmlgfnal.exe 2020 Ncfoch32.exe 960 Nmnclmoj.exe 308 Najpll32.exe 1672 Ndhlhg32.exe 780 Nfghdcfj.exe 3064 Nallalep.exe 2100 Npolmh32.exe 2524 Ndkhngdd.exe 2452 Nbniid32.exe 2740 Nigafnck.exe 2736 Nmcmgm32.exe 2932 Nlfmbibo.exe 2648 Nbpeoc32.exe 1276 Nfkapb32.exe 2400 Nenakoho.exe 1304 Nijnln32.exe 1808 Nlhjhi32.exe 1508 Noffdd32.exe 2680 Nbbbdcgi.exe 2948 Nfnneb32.exe 1500 Oiljam32.exe 892 Olkfmi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2060 c9a2999a61fceb6684c194e2dc1a4c60N.exe 2060 c9a2999a61fceb6684c194e2dc1a4c60N.exe 2360 Kdefgj32.exe 2360 Kdefgj32.exe 2484 Khabghdl.exe 2484 Khabghdl.exe 2692 Kokjdb32.exe 2692 Kokjdb32.exe 2880 Knnkpobc.exe 2880 Knnkpobc.exe 2772 Kdhcli32.exe 2772 Kdhcli32.exe 2272 Khcomhbi.exe 2272 Khcomhbi.exe 2588 Lkakicam.exe 2588 Lkakicam.exe 2904 Lblcfnhj.exe 2904 Lblcfnhj.exe 800 Lqncaj32.exe 800 Lqncaj32.exe 2412 Lkdhoc32.exe 2412 Lkdhoc32.exe 964 Ljghjpfe.exe 964 Ljghjpfe.exe 760 Lbnpkmfg.exe 760 Lbnpkmfg.exe 1752 Lcomce32.exe 1752 Lcomce32.exe 2760 Lkfddc32.exe 2760 Lkfddc32.exe 2936 Lneaqn32.exe 2936 Lneaqn32.exe 1688 Ldoimh32.exe 1688 Ldoimh32.exe 1144 Lcaiiejc.exe 1144 Lcaiiejc.exe 2984 Lgmeid32.exe 2984 Lgmeid32.exe 940 Lngnfnji.exe 940 Lngnfnji.exe 2820 Lqejbiim.exe 2820 Lqejbiim.exe 2012 Lcdfnehp.exe 2012 Lcdfnehp.exe 1352 Lgoboc32.exe 1352 Lgoboc32.exe 2980 Ljnnko32.exe 2980 Ljnnko32.exe 3032 Liqoflfh.exe 3032 Liqoflfh.exe 2404 Lokgcf32.exe 2404 Lokgcf32.exe 2260 Lcfbdd32.exe 2260 Lcfbdd32.exe 2668 Mmogmjmn.exe 2668 Mmogmjmn.exe 2492 Mchoid32.exe 2492 Mchoid32.exe 2708 Mfglep32.exe 2708 Mfglep32.exe 2688 Mmadbjkk.exe 2688 Mmadbjkk.exe 2608 Mkddnf32.exe 2608 Mkddnf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gjhmge32.dll Cfkloq32.exe File opened for modification C:\Windows\SysWOW64\Bbjmpcab.exe Bnnaoe32.exe File opened for modification C:\Windows\SysWOW64\Lldmleam.exe Ljfapjbi.exe File created C:\Windows\SysWOW64\Piicpk32.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Ohcdhi32.exe Odhhgkib.exe File created C:\Windows\SysWOW64\Dldlhdpl.dll Khghgchk.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cchbgi32.exe File created C:\Windows\SysWOW64\Dkigoimd.exe Dlfgcl32.exe File opened for modification C:\Windows\SysWOW64\Pcdkif32.exe Pdakniag.exe File created C:\Windows\SysWOW64\Opnkglik.dll Gonocmbi.exe File opened for modification C:\Windows\SysWOW64\Ohcdhi32.exe Odhhgkib.exe File opened for modification C:\Windows\SysWOW64\Acnjnh32.exe Aqonbm32.exe File created C:\Windows\SysWOW64\Cillkbac.exe Cjjkpe32.exe File created C:\Windows\SysWOW64\Gbadjg32.exe Gneijien.exe File created C:\Windows\SysWOW64\Agdmdg32.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Aggiigmn.exe File opened for modification C:\Windows\SysWOW64\Gqahqd32.exe Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Lqipkhbj.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Kdhcli32.exe Knnkpobc.exe File created C:\Windows\SysWOW64\Aeeeakip.dll Cfnoogbo.exe File created C:\Windows\SysWOW64\Ddblgn32.exe Dacpkc32.exe File opened for modification C:\Windows\SysWOW64\Dklddhka.exe Dfphcj32.exe File created C:\Windows\SysWOW64\Fplheofl.dll Eihgfd32.exe File created C:\Windows\SysWOW64\Iefcfe32.exe Imokehhl.exe File created C:\Windows\SysWOW64\Jbefcm32.exe Jojkco32.exe File opened for modification C:\Windows\SysWOW64\Kjahej32.exe Kgclio32.exe File created C:\Windows\SysWOW64\Hejcbh32.dll Lkdhoc32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Caifjn32.exe File created C:\Windows\SysWOW64\Hcnfppba.dll Ohncbdbd.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Agolnbok.exe Aohdmdoh.exe File created C:\Windows\SysWOW64\Diaaeepi.exe Dknajh32.exe File opened for modification C:\Windows\SysWOW64\Folfoj32.exe Fkpjnkig.exe File opened for modification C:\Windows\SysWOW64\Omioekbo.exe Njjcip32.exe File created C:\Windows\SysWOW64\Plolgk32.exe Phcpgm32.exe File created C:\Windows\SysWOW64\Cmedlk32.exe Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Mfihkoal.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Nihqegkl.dll Ajqljc32.exe File created C:\Windows\SysWOW64\Hnheohcl.exe Hkiicmdh.exe File opened for modification C:\Windows\SysWOW64\Jehlkhig.exe Jampjian.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Pdakniag.exe Ppfomk32.exe File created C:\Windows\SysWOW64\Ndhlhg32.exe Najpll32.exe File created C:\Windows\SysWOW64\Daofpchf.exe Copjdhib.exe File created C:\Windows\SysWOW64\Bjlkhpje.dll Ljddjj32.exe File opened for modification C:\Windows\SysWOW64\Nedhjj32.exe Nbflno32.exe File created C:\Windows\SysWOW64\Binbknik.dll Ahebaiac.exe File opened for modification C:\Windows\SysWOW64\Mbpipp32.exe Melifl32.exe File created C:\Windows\SysWOW64\Amfognic.exe Ajgbkbjp.exe File created C:\Windows\SysWOW64\Fffjig32.dll Kekiphge.exe File created C:\Windows\SysWOW64\Gigqol32.dll Lclicpkm.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Anjlebjc.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Ioloda32.dll Dhiomn32.exe File created C:\Windows\SysWOW64\Fgpomb32.dll Dddimn32.exe File created C:\Windows\SysWOW64\Aqcifjof.dll Pdgmlhha.exe File created C:\Windows\SysWOW64\Aflfjc32.exe Acnjnh32.exe File created C:\Windows\SysWOW64\Cpgkadij.dll Jojkco32.exe File created C:\Windows\SysWOW64\Mpioba32.dll Padhdm32.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Nefamd32.dll Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File created C:\Windows\SysWOW64\Eljnnl32.dll Pilfpqaa.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehdan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikifegp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmfmlen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlphbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apedah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qngopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpcihcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amohfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopahjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daacecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhmfbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npolmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphkbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkibcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npolmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iahkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alenfc32.dll" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejdjfjb.dll" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffhlolm.dll" Enlidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmdacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llgjaeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpcoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmkijgm.dll" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoiiijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Gifclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljddjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neknki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjegog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldlga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbihfb32.dll" Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll" Oeindm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elooehob.dll" Kdefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjceldap.dll" Ooicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgkadij.dll" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbgbj32.dll" Omklkkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkabpebk.dll" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmaeh32.dll" Nigafnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookpodkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcmgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehdan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdghaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniqhlqh.dll" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqpflded.dll" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamoi32.dll" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liihgqil.dll" Goiehm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2360 2060 c9a2999a61fceb6684c194e2dc1a4c60N.exe 30 PID 2060 wrote to memory of 2360 2060 c9a2999a61fceb6684c194e2dc1a4c60N.exe 30 PID 2060 wrote to memory of 2360 2060 c9a2999a61fceb6684c194e2dc1a4c60N.exe 30 PID 2060 wrote to memory of 2360 2060 c9a2999a61fceb6684c194e2dc1a4c60N.exe 30 PID 2360 wrote to memory of 2484 2360 Kdefgj32.exe 31 PID 2360 wrote to memory of 2484 2360 Kdefgj32.exe 31 PID 2360 wrote to memory of 2484 2360 Kdefgj32.exe 31 PID 2360 wrote to memory of 2484 2360 Kdefgj32.exe 31 PID 2484 wrote to memory of 2692 2484 Khabghdl.exe 32 PID 2484 wrote to memory of 2692 2484 Khabghdl.exe 32 PID 2484 wrote to memory of 2692 2484 Khabghdl.exe 32 PID 2484 wrote to memory of 2692 2484 Khabghdl.exe 32 PID 2692 wrote to memory of 2880 2692 Kokjdb32.exe 33 PID 2692 wrote to memory of 2880 2692 Kokjdb32.exe 33 PID 2692 wrote to memory of 2880 2692 Kokjdb32.exe 33 PID 2692 wrote to memory of 2880 2692 Kokjdb32.exe 33 PID 2880 wrote to memory of 2772 2880 Knnkpobc.exe 34 PID 2880 wrote to memory of 2772 2880 Knnkpobc.exe 34 PID 2880 wrote to memory of 2772 2880 Knnkpobc.exe 34 PID 2880 wrote to memory of 2772 2880 Knnkpobc.exe 34 PID 2772 wrote to memory of 2272 2772 Kdhcli32.exe 35 PID 2772 wrote to memory of 2272 2772 Kdhcli32.exe 35 PID 2772 wrote to memory of 2272 2772 Kdhcli32.exe 35 PID 2772 wrote to memory of 2272 2772 Kdhcli32.exe 35 PID 2272 wrote to memory of 2588 2272 Khcomhbi.exe 36 PID 2272 wrote to memory of 2588 2272 Khcomhbi.exe 36 PID 2272 wrote to memory of 2588 2272 Khcomhbi.exe 36 PID 2272 wrote to memory of 2588 2272 Khcomhbi.exe 36 PID 2588 wrote to memory of 2904 2588 Lkakicam.exe 37 PID 2588 wrote to memory of 2904 2588 Lkakicam.exe 37 PID 2588 wrote to memory of 2904 2588 Lkakicam.exe 37 PID 2588 wrote to memory of 2904 2588 Lkakicam.exe 37 PID 2904 wrote to memory of 800 2904 Lblcfnhj.exe 38 PID 2904 wrote to memory of 800 2904 Lblcfnhj.exe 38 PID 2904 wrote to memory of 800 2904 Lblcfnhj.exe 38 PID 2904 wrote to memory of 800 2904 Lblcfnhj.exe 38 PID 800 wrote to memory of 2412 800 Lqncaj32.exe 39 PID 800 wrote to memory of 2412 800 Lqncaj32.exe 39 PID 800 wrote to memory of 2412 800 Lqncaj32.exe 39 PID 800 wrote to memory of 2412 800 Lqncaj32.exe 39 PID 2412 wrote to memory of 964 2412 Lkdhoc32.exe 40 PID 2412 wrote to memory of 964 2412 Lkdhoc32.exe 40 PID 2412 wrote to memory of 964 2412 Lkdhoc32.exe 40 PID 2412 wrote to memory of 964 2412 Lkdhoc32.exe 40 PID 964 wrote to memory of 760 964 Ljghjpfe.exe 41 PID 964 wrote to memory of 760 964 Ljghjpfe.exe 41 PID 964 wrote to memory of 760 964 Ljghjpfe.exe 41 PID 964 wrote to memory of 760 964 Ljghjpfe.exe 41 PID 760 wrote to memory of 1752 760 Lbnpkmfg.exe 42 PID 760 wrote to memory of 1752 760 Lbnpkmfg.exe 42 PID 760 wrote to memory of 1752 760 Lbnpkmfg.exe 42 PID 760 wrote to memory of 1752 760 Lbnpkmfg.exe 42 PID 1752 wrote to memory of 2760 1752 Lcomce32.exe 43 PID 1752 wrote to memory of 2760 1752 Lcomce32.exe 43 PID 1752 wrote to memory of 2760 1752 Lcomce32.exe 43 PID 1752 wrote to memory of 2760 1752 Lcomce32.exe 43 PID 2760 wrote to memory of 2936 2760 Lkfddc32.exe 44 PID 2760 wrote to memory of 2936 2760 Lkfddc32.exe 44 PID 2760 wrote to memory of 2936 2760 Lkfddc32.exe 44 PID 2760 wrote to memory of 2936 2760 Lkfddc32.exe 44 PID 2936 wrote to memory of 1688 2936 Lneaqn32.exe 45 PID 2936 wrote to memory of 1688 2936 Lneaqn32.exe 45 PID 2936 wrote to memory of 1688 2936 Lneaqn32.exe 45 PID 2936 wrote to memory of 1688 2936 Lneaqn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a2999a61fceb6684c194e2dc1a4c60N.exe"C:\Users\Admin\AppData\Local\Temp\c9a2999a61fceb6684c194e2dc1a4c60N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe34⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe36⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe37⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe38⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe39⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe41⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe42⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe43⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe44⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe45⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe48⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe49⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe52⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe56⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe57⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe58⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe59⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe61⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe62⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe63⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe64⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe65⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe66⤵PID:1516
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe67⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe68⤵PID:1656
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe69⤵PID:1268
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe70⤵PID:548
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe71⤵PID:2428
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe72⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe73⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe74⤵PID:2696
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe75⤵PID:1644
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe76⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe77⤵PID:1388
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe78⤵PID:1148
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe80⤵PID:2800
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe83⤵PID:2468
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe84⤵PID:1680
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe85⤵PID:1652
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe86⤵PID:2124
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe87⤵PID:2508
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe89⤵PID:2848
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe91⤵PID:2928
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe92⤵PID:2324
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe93⤵PID:1636
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe94⤵PID:2824
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe95⤵PID:2788
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe96⤵PID:380
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe98⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe99⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe100⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe101⤵PID:2240
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe102⤵PID:1788
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe103⤵PID:2416
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe105⤵PID:1912
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe106⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe107⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe108⤵PID:2496
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe109⤵PID:1720
-
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe111⤵PID:1536
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe112⤵PID:2168
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe113⤵PID:2064
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe114⤵PID:2808
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe115⤵PID:672
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe117⤵PID:1632
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe118⤵PID:1792
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe119⤵PID:448
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe120⤵PID:1852
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe121⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-