Analysis
-
max time kernel
138s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/08/2024, 19:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe
-
Size
512KB
-
MD5
57bc309aead95a184d32dbed6ac2d533
-
SHA1
6a18903db284207a127608b0e8b90440c5ddf0d8
-
SHA256
1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2
-
SHA512
5b971cda35f53dc6929437079ef7add0741ef7f52b0312d232f68a21f8413e7c46ef956fee19dd8970b66196be97c9e8794ff0969bae92f975314b4ca7c7023e
-
SSDEEP
6144:uF5G+0me853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:jNQBpnchWcZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdjipfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheloh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllednao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddihapnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekhehea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihjfolmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijplg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihacbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihacbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppcac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiebljpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnijocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipapko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemkijdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjiemdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdopiohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfnjlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafdii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfdcgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmkhmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abodlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clhgnagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpbnlbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfojl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpknl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbfcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmappn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmeadbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgfol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdhfdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgihkmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habgqehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmljodk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffopi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofeneqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocanbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjnbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inqjbhhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lipneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmicnhob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgebincc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckeccnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcboejh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofbph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djaiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqkace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebofpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpenkgfq.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Cjkcedgp.exe 1724 Cbfhjfdk.exe 2776 Dnmhogjo.exe 2440 Eagdgaoe.exe 2928 Eibikc32.exe 2628 Elcbmn32.exe 2304 Gdmcbojl.exe 1364 Gcdmikma.exe 1740 Hopgikop.exe 1720 Hjkdoh32.exe 2976 Hjnaehgj.exe 1484 Hmojfcdk.exe 2408 Ickoimie.exe 2272 Icmlnmgb.exe 604 Ifndph32.exe 1096 Iionacad.exe 1552 Jkpfcnoe.exe 1352 Jgfghodj.exe 428 Jjgpjjak.exe 2252 Jmhile32.exe 1196 Klmfmacc.exe 2952 Khhpmbeb.exe 2276 Koeeoljm.exe 3044 Lkkfdmpq.exe 1652 Lknbjlnn.exe 2144 Llalgdbj.exe 2492 Lpodmb32.exe 2860 Modano32.exe 2888 Mognco32.exe 2688 Moikinib.exe 1408 Majdkifd.exe 2748 Mqoqlfkl.exe 1664 Ncpjnahm.exe 2540 Nfqbol32.exe 904 Ndfppije.exe 2964 Nidhfgpl.exe 1972 Ogiegc32.exe 1564 Ognobcqo.exe 2468 Ommdqi32.exe 2528 Ocglmcdp.exe 1620 Pblinp32.exe 1340 Pldnge32.exe 1628 Pnefiq32.exe 2200 Pngcnpkg.exe 3056 Qfedhb32.exe 2280 Qjcmoqlf.exe 2296 Apbblg32.exe 1636 Amfcfk32.exe 1672 Aoilcc32.exe 2320 Almmlg32.exe 752 Bonenbgj.exe 2816 Bdknfiea.exe 1504 Bkgchckl.exe 2672 Bcbhmehg.exe 1168 Bfcqoqeh.exe 976 Cjaieoko.exe 2800 Cfhjjp32.exe 1252 Copobe32.exe 2216 Cnekcblk.exe 2676 Coehnecn.exe 928 Dmaoem32.exe 2264 Dfjcncak.exe 768 Diklpn32.exe 692 Ebcqicem.exe -
Loads dropped DLL 64 IoCs
pid Process 2552 1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe 2552 1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe 2192 Cjkcedgp.exe 2192 Cjkcedgp.exe 1724 Cbfhjfdk.exe 1724 Cbfhjfdk.exe 2776 Dnmhogjo.exe 2776 Dnmhogjo.exe 2440 Eagdgaoe.exe 2440 Eagdgaoe.exe 2928 Eibikc32.exe 2928 Eibikc32.exe 2628 Elcbmn32.exe 2628 Elcbmn32.exe 2304 Gdmcbojl.exe 2304 Gdmcbojl.exe 1364 Gcdmikma.exe 1364 Gcdmikma.exe 1740 Hopgikop.exe 1740 Hopgikop.exe 1720 Hjkdoh32.exe 1720 Hjkdoh32.exe 2976 Hjnaehgj.exe 2976 Hjnaehgj.exe 1484 Hmojfcdk.exe 1484 Hmojfcdk.exe 2408 Ickoimie.exe 2408 Ickoimie.exe 2272 Icmlnmgb.exe 2272 Icmlnmgb.exe 604 Ifndph32.exe 604 Ifndph32.exe 1096 Iionacad.exe 1096 Iionacad.exe 1552 Jkpfcnoe.exe 1552 Jkpfcnoe.exe 1352 Jgfghodj.exe 1352 Jgfghodj.exe 428 Jjgpjjak.exe 428 Jjgpjjak.exe 2252 Jmhile32.exe 2252 Jmhile32.exe 1196 Klmfmacc.exe 1196 Klmfmacc.exe 2952 Khhpmbeb.exe 2952 Khhpmbeb.exe 2276 Koeeoljm.exe 2276 Koeeoljm.exe 3044 Lkkfdmpq.exe 3044 Lkkfdmpq.exe 1652 Lknbjlnn.exe 1652 Lknbjlnn.exe 2144 Llalgdbj.exe 2144 Llalgdbj.exe 2492 Lpodmb32.exe 2492 Lpodmb32.exe 2860 Modano32.exe 2860 Modano32.exe 2888 Mognco32.exe 2888 Mognco32.exe 2688 Moikinib.exe 2688 Moikinib.exe 1408 Majdkifd.exe 1408 Majdkifd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eikmkbeg.exe Eoeiniea.exe File opened for modification C:\Windows\SysWOW64\Lellfe32.exe Lclombkc.exe File created C:\Windows\SysWOW64\Agbafm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lkkfdmpq.exe Koeeoljm.exe File opened for modification C:\Windows\SysWOW64\Hapaekng.exe Hlcimd32.exe File created C:\Windows\SysWOW64\Kaoelf32.dll Hfnjlj32.exe File created C:\Windows\SysWOW64\Mhgbpb32.exe Momqbm32.exe File opened for modification C:\Windows\SysWOW64\Genmab32.exe Gfippego.exe File created C:\Windows\SysWOW64\Ndokej32.dll Bhhbmfjb.exe File opened for modification C:\Windows\SysWOW64\Pcnfap32.exe Pmbaof32.exe File created C:\Windows\SysWOW64\Ngaehiok.dll Jqmadn32.exe File created C:\Windows\SysWOW64\Ibngfe32.dll Dhiacg32.exe File created C:\Windows\SysWOW64\Qlebpbfn.dll Jbdpeh32.exe File opened for modification C:\Windows\SysWOW64\Bonenbgj.exe Almmlg32.exe File opened for modification C:\Windows\SysWOW64\Hfiloiik.exe Hchcmnlj.exe File opened for modification C:\Windows\SysWOW64\Dccbohlj.exe Dpbjmm32.exe File created C:\Windows\SysWOW64\Cdkipl32.dll Enfinm32.exe File opened for modification C:\Windows\SysWOW64\Gonlld32.exe Geehcoaf.exe File created C:\Windows\SysWOW64\Pdkgcd32.exe Pjafbfca.exe File created C:\Windows\SysWOW64\Mdppqdfl.dll Ddbbod32.exe File opened for modification C:\Windows\SysWOW64\Jklbed32.exe Jbcnloam.exe File created C:\Windows\SysWOW64\Eqpfchka.exe Ekcmkamj.exe File created C:\Windows\SysWOW64\Jkdanngk.exe Jbhlilip.exe File created C:\Windows\SysWOW64\Bcbhmehg.exe Bkgchckl.exe File created C:\Windows\SysWOW64\Nkqlodpk.exe Nojljcjf.exe File created C:\Windows\SysWOW64\Neapoa32.dll Kagnipna.exe File created C:\Windows\SysWOW64\Aonmce32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Momqbm32.exe Mgoohk32.exe File created C:\Windows\SysWOW64\Qngclgob.dll Jkpkepnn.exe File created C:\Windows\SysWOW64\Elcfkg32.dll Pockoeeg.exe File opened for modification C:\Windows\SysWOW64\Ejofin32.exe Efambp32.exe File created C:\Windows\SysWOW64\Hanoiobl.dll Pjafbfca.exe File created C:\Windows\SysWOW64\Aadbhl32.exe Appikd32.exe File created C:\Windows\SysWOW64\Oclbok32.exe Obkegbnb.exe File opened for modification C:\Windows\SysWOW64\Ihcidgpj.exe Hkoikcaq.exe File created C:\Windows\SysWOW64\Bphhobmd.exe Anhomg32.exe File opened for modification C:\Windows\SysWOW64\Ageefcgl.exe Abhmnlhd.exe File opened for modification C:\Windows\SysWOW64\Kocoab32.exe Process not Found File created C:\Windows\SysWOW64\Nploge32.exe Nkofon32.exe File opened for modification C:\Windows\SysWOW64\Nploge32.exe Nkofon32.exe File opened for modification C:\Windows\SysWOW64\Hmakkqqi.exe Hdigakji.exe File opened for modification C:\Windows\SysWOW64\Gcdmikma.exe Gdmcbojl.exe File created C:\Windows\SysWOW64\Dconnjln.dll Klmfmacc.exe File created C:\Windows\SysWOW64\Odhhdk32.exe Ngdgkf32.exe File created C:\Windows\SysWOW64\Kagnipna.exe Kphbom32.exe File created C:\Windows\SysWOW64\Bfkcepii.dll Oaecne32.exe File opened for modification C:\Windows\SysWOW64\Iionacad.exe Ifndph32.exe File opened for modification C:\Windows\SysWOW64\Aocloj32.exe Adjkol32.exe File opened for modification C:\Windows\SysWOW64\Bkmegaaf.exe Bkkiab32.exe File opened for modification C:\Windows\SysWOW64\Dolpiipk.exe Dhpkgoja.exe File created C:\Windows\SysWOW64\Bhglpqeo.exe Bdiciboh.exe File opened for modification C:\Windows\SysWOW64\Nbnajcig.exe Nmaialjp.exe File opened for modification C:\Windows\SysWOW64\Ceiadj32.exe Cmnlphjd.exe File created C:\Windows\SysWOW64\Iclknd32.dll Ajoiqg32.exe File opened for modification C:\Windows\SysWOW64\Jbblfbdk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Apbblg32.exe Qjcmoqlf.exe File created C:\Windows\SysWOW64\Gilojo32.dll Momqbm32.exe File created C:\Windows\SysWOW64\Eqfcpb32.dll Okciddnh.exe File opened for modification C:\Windows\SysWOW64\Pabkmb32.exe Pnabkgfb.exe File created C:\Windows\SysWOW64\Olbepc32.exe Oicidh32.exe File created C:\Windows\SysWOW64\Acgnmkmm.dll Pfabbmeh.exe File created C:\Windows\SysWOW64\Chibhf32.dll Oihacbfh.exe File created C:\Windows\SysWOW64\Elbkddpg.exe Emmnch32.exe File opened for modification C:\Windows\SysWOW64\Gogipbln.exe Gpblof32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnknhpfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncogge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjgpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfghodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobkna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madepihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epegae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebpmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaggqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichbckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbakfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdehmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmophe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqgqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjnbem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbgpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbhmehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afojgiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lellfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjnaehgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onelbfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odekqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldpfnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipickfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oicfpkci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjing32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjlonld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncfdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkdcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagdgaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abodlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhioeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldajoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhbmfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgbmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meolcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmggdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdigakji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchjacbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmdeg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgjgmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjabhq32.dll" Jfkphnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdmdlaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idncfdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdigakji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmnbnnd.dll" Plfhfiqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldnhfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhappfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcbpice.dll" Fnneib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apbblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilknaem.dll" Aejmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hajbji32.dll" Enjmlgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddihapnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibngfe32.dll" Dhiacg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbiokdam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjebbkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdcnlif.dll" Cckeccnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbpjhnm.dll" Gmjejafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkollo32.dll" Ghagjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkqlodpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkhikfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeemh32.dll" Madbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebpplaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlljiklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocfda32.dll" Fiomhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnhgbc.dll" Lbghpjih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedeee32.dll" Cllaca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljdcqek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeloin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedmjhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkinmkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaflialk.dll" Gpcaqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmhogkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlegof32.dll" Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqhffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feljja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efqian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaokhdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfpehq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmnch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlogojjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpbmo32.dll" Jeenip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moapchoj.dll" Inpeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hefmqdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egggfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgpfdap.dll" Bomneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpenkgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejmha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlnnp32.dll" Bbkhikfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpblfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appccjdl.dll" Qeakmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlnfof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiohpk32.dll" Hipmlcae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfqbol32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2192 2552 1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe 29 PID 2552 wrote to memory of 2192 2552 1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe 29 PID 2552 wrote to memory of 2192 2552 1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe 29 PID 2552 wrote to memory of 2192 2552 1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe 29 PID 2192 wrote to memory of 1724 2192 Cjkcedgp.exe 30 PID 2192 wrote to memory of 1724 2192 Cjkcedgp.exe 30 PID 2192 wrote to memory of 1724 2192 Cjkcedgp.exe 30 PID 2192 wrote to memory of 1724 2192 Cjkcedgp.exe 30 PID 1724 wrote to memory of 2776 1724 Cbfhjfdk.exe 31 PID 1724 wrote to memory of 2776 1724 Cbfhjfdk.exe 31 PID 1724 wrote to memory of 2776 1724 Cbfhjfdk.exe 31 PID 1724 wrote to memory of 2776 1724 Cbfhjfdk.exe 31 PID 2776 wrote to memory of 2440 2776 Dnmhogjo.exe 32 PID 2776 wrote to memory of 2440 2776 Dnmhogjo.exe 32 PID 2776 wrote to memory of 2440 2776 Dnmhogjo.exe 32 PID 2776 wrote to memory of 2440 2776 Dnmhogjo.exe 32 PID 2440 wrote to memory of 2928 2440 Eagdgaoe.exe 33 PID 2440 wrote to memory of 2928 2440 Eagdgaoe.exe 33 PID 2440 wrote to memory of 2928 2440 Eagdgaoe.exe 33 PID 2440 wrote to memory of 2928 2440 Eagdgaoe.exe 33 PID 2928 wrote to memory of 2628 2928 Eibikc32.exe 34 PID 2928 wrote to memory of 2628 2928 Eibikc32.exe 34 PID 2928 wrote to memory of 2628 2928 Eibikc32.exe 34 PID 2928 wrote to memory of 2628 2928 Eibikc32.exe 34 PID 2628 wrote to memory of 2304 2628 Elcbmn32.exe 35 PID 2628 wrote to memory of 2304 2628 Elcbmn32.exe 35 PID 2628 wrote to memory of 2304 2628 Elcbmn32.exe 35 PID 2628 wrote to memory of 2304 2628 Elcbmn32.exe 35 PID 2304 wrote to memory of 1364 2304 Gdmcbojl.exe 36 PID 2304 wrote to memory of 1364 2304 Gdmcbojl.exe 36 PID 2304 wrote to memory of 1364 2304 Gdmcbojl.exe 36 PID 2304 wrote to memory of 1364 2304 Gdmcbojl.exe 36 PID 1364 wrote to memory of 1740 1364 Gcdmikma.exe 37 PID 1364 wrote to memory of 1740 1364 Gcdmikma.exe 37 PID 1364 wrote to memory of 1740 1364 Gcdmikma.exe 37 PID 1364 wrote to memory of 1740 1364 Gcdmikma.exe 37 PID 1740 wrote to memory of 1720 1740 Hopgikop.exe 38 PID 1740 wrote to memory of 1720 1740 Hopgikop.exe 38 PID 1740 wrote to memory of 1720 1740 Hopgikop.exe 38 PID 1740 wrote to memory of 1720 1740 Hopgikop.exe 38 PID 1720 wrote to memory of 2976 1720 Hjkdoh32.exe 39 PID 1720 wrote to memory of 2976 1720 Hjkdoh32.exe 39 PID 1720 wrote to memory of 2976 1720 Hjkdoh32.exe 39 PID 1720 wrote to memory of 2976 1720 Hjkdoh32.exe 39 PID 2976 wrote to memory of 1484 2976 Hjnaehgj.exe 40 PID 2976 wrote to memory of 1484 2976 Hjnaehgj.exe 40 PID 2976 wrote to memory of 1484 2976 Hjnaehgj.exe 40 PID 2976 wrote to memory of 1484 2976 Hjnaehgj.exe 40 PID 1484 wrote to memory of 2408 1484 Hmojfcdk.exe 41 PID 1484 wrote to memory of 2408 1484 Hmojfcdk.exe 41 PID 1484 wrote to memory of 2408 1484 Hmojfcdk.exe 41 PID 1484 wrote to memory of 2408 1484 Hmojfcdk.exe 41 PID 2408 wrote to memory of 2272 2408 Ickoimie.exe 42 PID 2408 wrote to memory of 2272 2408 Ickoimie.exe 42 PID 2408 wrote to memory of 2272 2408 Ickoimie.exe 42 PID 2408 wrote to memory of 2272 2408 Ickoimie.exe 42 PID 2272 wrote to memory of 604 2272 Icmlnmgb.exe 43 PID 2272 wrote to memory of 604 2272 Icmlnmgb.exe 43 PID 2272 wrote to memory of 604 2272 Icmlnmgb.exe 43 PID 2272 wrote to memory of 604 2272 Icmlnmgb.exe 43 PID 604 wrote to memory of 1096 604 Ifndph32.exe 44 PID 604 wrote to memory of 1096 604 Ifndph32.exe 44 PID 604 wrote to memory of 1096 604 Ifndph32.exe 44 PID 604 wrote to memory of 1096 604 Ifndph32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe"C:\Users\Admin\AppData\Local\Temp\1aaa5cca819064508a447e37d43b76ed2a8ba92ead5c68840c4393ea455455a2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Hjkdoh32.exeC:\Windows\system32\Hjkdoh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Jgfghodj.exeC:\Windows\system32\Jgfghodj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:428 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Lknbjlnn.exeC:\Windows\system32\Lknbjlnn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe33⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe34⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Ndfppije.exeC:\Windows\system32\Ndfppije.exe36⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe38⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe39⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe40⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe41⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe42⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe43⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe44⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe45⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe49⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Aoilcc32.exeC:\Windows\system32\Aoilcc32.exe50⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe53⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe56⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe57⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe59⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe61⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe63⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe64⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe65⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe66⤵PID:860
-
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe67⤵PID:680
-
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe68⤵PID:2132
-
C:\Windows\SysWOW64\Ejhhcdjm.exeC:\Windows\system32\Ejhhcdjm.exe69⤵PID:1380
-
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe71⤵PID:968
-
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe72⤵PID:2592
-
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe73⤵PID:1908
-
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe74⤵PID:2740
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe75⤵PID:1728
-
C:\Windows\SysWOW64\Hldpfnij.exeC:\Windows\system32\Hldpfnij.exe76⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Hhnnpolk.exeC:\Windows\system32\Hhnnpolk.exe77⤵PID:2124
-
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Hnmcne32.exeC:\Windows\system32\Hnmcne32.exe79⤵PID:2064
-
C:\Windows\SysWOW64\Ibklddof.exeC:\Windows\system32\Ibklddof.exe80⤵PID:1716
-
C:\Windows\SysWOW64\Inaliedk.exeC:\Windows\system32\Inaliedk.exe81⤵PID:1676
-
C:\Windows\SysWOW64\Iqbekpal.exeC:\Windows\system32\Iqbekpal.exe82⤵PID:1536
-
C:\Windows\SysWOW64\Inffdd32.exeC:\Windows\system32\Inffdd32.exe83⤵PID:1632
-
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe84⤵PID:668
-
C:\Windows\SysWOW64\Jbhkngcd.exeC:\Windows\system32\Jbhkngcd.exe85⤵PID:1016
-
C:\Windows\SysWOW64\Jeidob32.exeC:\Windows\system32\Jeidob32.exe86⤵PID:1308
-
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe87⤵PID:276
-
C:\Windows\SysWOW64\Joaebkni.exeC:\Windows\system32\Joaebkni.exe88⤵PID:2340
-
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe89⤵PID:1348
-
C:\Windows\SysWOW64\Kmkodd32.exeC:\Windows\system32\Kmkodd32.exe90⤵PID:2108
-
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe91⤵PID:2720
-
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe92⤵PID:2812
-
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe93⤵PID:2472
-
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Kclmbm32.exeC:\Windows\system32\Kclmbm32.exe95⤵PID:2820
-
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe96⤵PID:2612
-
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe97⤵PID:2512
-
C:\Windows\SysWOW64\Lbdghi32.exeC:\Windows\system32\Lbdghi32.exe98⤵PID:1844
-
C:\Windows\SysWOW64\Lllkaobc.exeC:\Windows\system32\Lllkaobc.exe99⤵PID:2284
-
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe100⤵PID:2092
-
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe101⤵PID:272
-
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe102⤵PID:2068
-
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe103⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe104⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe105⤵
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Nocgbl32.exeC:\Windows\system32\Nocgbl32.exe106⤵PID:2188
-
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe107⤵PID:2744
-
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe108⤵PID:2660
-
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe109⤵PID:2892
-
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe110⤵PID:2096
-
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe111⤵PID:2488
-
C:\Windows\SysWOW64\Odpljf32.exeC:\Windows\system32\Odpljf32.exe112⤵PID:2680
-
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe114⤵PID:2940
-
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe115⤵PID:3016
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe116⤵PID:1244
-
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe117⤵PID:1804
-
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe118⤵PID:3048
-
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe119⤵PID:1860
-
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe120⤵PID:1048
-
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-