Analysis
-
max time kernel
39s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 05:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c8c92d482f83404f466883175967a90N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
3c8c92d482f83404f466883175967a90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3c8c92d482f83404f466883175967a90N.exe
-
Size
100KB
-
MD5
3c8c92d482f83404f466883175967a90
-
SHA1
f0654330e4768be7ee8abe6eddc4d48f60092ee0
-
SHA256
f081c4b1046d89a1f2bdc9f8a057adc49feb90f3385c0ff6c85d0906d8fb537f
-
SHA512
d80a290ec4cf1b2a3581680f0055e371445801656fe7fd5b9e81ff23349ca963673a0b4ead8f0ece5a6ed847b4f0e607921e1059f10d7ae80c93d2ef5a1ac7ce
-
SSDEEP
3072:9f1xHPs/HqP4UihL7z/Kgb3a3+X13XRz:9fTHPs/HvUihL77D7aOl3Bz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljkif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjijkmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmbje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baealp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjqcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbnec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohengmcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llebnfpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndgeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liibgkoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkhjabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Johoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgodcich.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciglaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcimipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomjng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biccfalm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmmcjjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnbjpqoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabplobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdfjfmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhapocoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fheoiqgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okkddd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqiiaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjfgkha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmbje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihiabfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peeabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdcnhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdcepcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcebj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Fedfgejh.exe 2748 Fhbbcail.exe 2992 Fakglf32.exe 2884 Fheoiqgi.exe 688 Famcbf32.exe 2660 Fhglop32.exe 1640 Fappgflg.exe 2904 Fhjhdp32.exe 1008 Fmfalg32.exe 1932 Fdqiiaih.exe 2924 Gjjafkpe.exe 2344 Gllnnc32.exe 1956 Gipngg32.exe 772 Gpjfcali.exe 2236 Gefolhja.exe 812 Glpgibbn.exe 2368 Gbjpem32.exe 1108 Geilah32.exe 2576 Ghghnc32.exe 1272 Gkedjo32.exe 764 Gekhgh32.exe 2148 Gleqdb32.exe 2260 Hdpehd32.exe 3052 Hkjnenbp.exe 1592 Hadfah32.exe 2756 Hdbbnd32.exe 2820 Hpicbe32.exe 2872 Hchoop32.exe 2648 Hnmcli32.exe 2680 Hgfheodo.exe 1152 Hehhqk32.exe 2132 Hoalia32.exe 2700 Hclhjpjc.exe 2912 Ihiabfhk.exe 2936 Ijimli32.exe 2972 Ihlnhffh.exe 2520 Ikjjda32.exe 2360 Iadbqlmh.exe 1196 Ilifndlo.exe 2416 Inkcem32.exe 2124 Idekbgji.exe 2380 Igcgnbim.exe 2384 Ikocoa32.exe 2412 Iqllghon.exe 1388 Ikapdqoc.exe 2508 Inplqlng.exe 988 Ibkhak32.exe 572 Jdidmf32.exe 2800 Jcleiclo.exe 2736 Jjfmem32.exe 3060 Jnbifl32.exe 2724 Jdlacfca.exe 2084 Jcoanb32.exe 2540 Jjijkmbi.exe 1852 Jmgfgham.exe 2780 Joebccpp.exe 1916 Jfojpn32.exe 2356 Jjkfqlpf.exe 1620 Jinfli32.exe 1492 Johoic32.exe 1864 Jbfkeo32.exe 2552 Jjmcfl32.exe 2140 Jmlobg32.exe 824 Jcfgoadd.exe -
Loads dropped DLL 64 IoCs
pid Process 1316 3c8c92d482f83404f466883175967a90N.exe 1316 3c8c92d482f83404f466883175967a90N.exe 2224 Fedfgejh.exe 2224 Fedfgejh.exe 2748 Fhbbcail.exe 2748 Fhbbcail.exe 2992 Fakglf32.exe 2992 Fakglf32.exe 2884 Fheoiqgi.exe 2884 Fheoiqgi.exe 688 Famcbf32.exe 688 Famcbf32.exe 2660 Fhglop32.exe 2660 Fhglop32.exe 1640 Fappgflg.exe 1640 Fappgflg.exe 2904 Fhjhdp32.exe 2904 Fhjhdp32.exe 1008 Fmfalg32.exe 1008 Fmfalg32.exe 1932 Fdqiiaih.exe 1932 Fdqiiaih.exe 2924 Gjjafkpe.exe 2924 Gjjafkpe.exe 2344 Gllnnc32.exe 2344 Gllnnc32.exe 1956 Gipngg32.exe 1956 Gipngg32.exe 772 Gpjfcali.exe 772 Gpjfcali.exe 2236 Gefolhja.exe 2236 Gefolhja.exe 812 Glpgibbn.exe 812 Glpgibbn.exe 2368 Gbjpem32.exe 2368 Gbjpem32.exe 1108 Geilah32.exe 1108 Geilah32.exe 2576 Ghghnc32.exe 2576 Ghghnc32.exe 1272 Gkedjo32.exe 1272 Gkedjo32.exe 764 Gekhgh32.exe 764 Gekhgh32.exe 2148 Gleqdb32.exe 2148 Gleqdb32.exe 2260 Hdpehd32.exe 2260 Hdpehd32.exe 3052 Hkjnenbp.exe 3052 Hkjnenbp.exe 1592 Hadfah32.exe 1592 Hadfah32.exe 2756 Hdbbnd32.exe 2756 Hdbbnd32.exe 2820 Hpicbe32.exe 2820 Hpicbe32.exe 2872 Hchoop32.exe 2872 Hchoop32.exe 2648 Hnmcli32.exe 2648 Hnmcli32.exe 2680 Hgfheodo.exe 2680 Hgfheodo.exe 1152 Hehhqk32.exe 1152 Hehhqk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gipngg32.exe Gllnnc32.exe File opened for modification C:\Windows\SysWOW64\Qpaohjkk.exe Qmcclolh.exe File opened for modification C:\Windows\SysWOW64\Gekhgh32.exe Gkedjo32.exe File created C:\Windows\SysWOW64\Gllnei32.dll Oqlfhjch.exe File created C:\Windows\SysWOW64\Mmkhejmb.dll Ghghnc32.exe File opened for modification C:\Windows\SysWOW64\Jcleiclo.exe Jdidmf32.exe File opened for modification C:\Windows\SysWOW64\Baealp32.exe Binikb32.exe File created C:\Windows\SysWOW64\Khpbbn32.dll Ckkenikc.exe File created C:\Windows\SysWOW64\Nommodjj.exe Nhcebj32.exe File created C:\Windows\SysWOW64\Aebakp32.exe Afpapcnc.exe File opened for modification C:\Windows\SysWOW64\Mgkbjb32.exe Mcofid32.exe File created C:\Windows\SysWOW64\Ccnddg32.exe Cpohhk32.exe File opened for modification C:\Windows\SysWOW64\Nnbjpqoa.exe Noojdc32.exe File created C:\Windows\SysWOW64\Hmhonm32.dll Ongckp32.exe File created C:\Windows\SysWOW64\Aphehidc.exe Amjiln32.exe File created C:\Windows\SysWOW64\Ahhchk32.exe Admgglep.exe File opened for modification C:\Windows\SysWOW64\Jjkfqlpf.exe Jfojpn32.exe File created C:\Windows\SysWOW64\Pijgbl32.exe Pbpoebgc.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Cabaec32.exe File created C:\Windows\SysWOW64\Dhfljfho.dll Fhbbcail.exe File created C:\Windows\SysWOW64\Gbjpem32.exe Glpgibbn.exe File created C:\Windows\SysWOW64\Bmnofp32.exe Biccfalm.exe File created C:\Windows\SysWOW64\Mhcicf32.exe Meemgk32.exe File created C:\Windows\SysWOW64\Ljplkonl.exe Lhapocoi.exe File created C:\Windows\SysWOW64\Kaggbihl.exe Kjmoeo32.exe File opened for modification C:\Windows\SysWOW64\Abkkpd32.exe Ajdcofop.exe File created C:\Windows\SysWOW64\Mjhdbb32.dll Binikb32.exe File created C:\Windows\SysWOW64\Eikcigkl.dll Kjmoeo32.exe File opened for modification C:\Windows\SysWOW64\Podpoffm.exe Pmecbkgj.exe File opened for modification C:\Windows\SysWOW64\Famcbf32.exe Fheoiqgi.exe File created C:\Windows\SysWOW64\Obnbpb32.exe Ooofcg32.exe File opened for modification C:\Windows\SysWOW64\Aebakp32.exe Afpapcnc.exe File created C:\Windows\SysWOW64\Admgglep.exe Aankkqfl.exe File created C:\Windows\SysWOW64\Pqgilnji.exe Pnimpcke.exe File created C:\Windows\SysWOW64\Pbgefa32.exe Pjpmdd32.exe File opened for modification C:\Windows\SysWOW64\Biccfalm.exe Bgdfjfmi.exe File created C:\Windows\SysWOW64\Gllnnc32.exe Gjjafkpe.exe File created C:\Windows\SysWOW64\Bnfbaa32.dll Ijimli32.exe File created C:\Windows\SysWOW64\Jfddkmch.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Nokalbod.dll Manjaldo.exe File created C:\Windows\SysWOW64\Gefolhja.exe Gpjfcali.exe File created C:\Windows\SysWOW64\Odfhpd32.dll Iadbqlmh.exe File created C:\Windows\SysWOW64\Jcleiclo.exe Jdidmf32.exe File created C:\Windows\SysWOW64\Bpmkbl32.exe Bmnofp32.exe File created C:\Windows\SysWOW64\Glpgibbn.exe Gefolhja.exe File created C:\Windows\SysWOW64\Inplqlng.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Enihha32.dll Ojdjqp32.exe File created C:\Windows\SysWOW64\Jcfddmhe.dll Pnfpjc32.exe File opened for modification C:\Windows\SysWOW64\Ljplkonl.exe Lhapocoi.exe File created C:\Windows\SysWOW64\Monann32.dll Kigibh32.exe File created C:\Windows\SysWOW64\Hjgkgm32.dll Nndgeplo.exe File created C:\Windows\SysWOW64\Occlcg32.exe Odqlhjbi.exe File created C:\Windows\SysWOW64\Kafano32.dll Ihlnhffh.exe File created C:\Windows\SysWOW64\Ckmbdh32.exe Chofhm32.exe File created C:\Windows\SysWOW64\Gjjafkpe.exe Fdqiiaih.exe File opened for modification C:\Windows\SysWOW64\Inplqlng.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Ggmaao32.dll Nokqidll.exe File opened for modification C:\Windows\SysWOW64\Ndlbmk32.exe Neibanod.exe File opened for modification C:\Windows\SysWOW64\Ogaeieoj.exe Odcimipf.exe File created C:\Windows\SysWOW64\Opnphfdp.dll Fedfgejh.exe File created C:\Windows\SysWOW64\Hehhqk32.exe Hgfheodo.exe File created C:\Windows\SysWOW64\Kkalcdao.exe Jfddkmch.exe File created C:\Windows\SysWOW64\Lenffl32.exe Lodnjboi.exe File created C:\Windows\SysWOW64\Dnmcjanc.dll Mkaeob32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johoic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcgmkil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpapcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihiabfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meemgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolhdbjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c8c92d482f83404f466883175967a90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepanje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdcofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjiljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehhqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfddkmch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geilah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipefmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfgkha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljplkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odqlhjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acadchoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfikod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlbmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnofp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlnhffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjnenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oapcfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmiolk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmbje32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdhdn32.dll" Gkedjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbjpem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbfkeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll" Biqfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecllkodg.dll" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epdcmhdd.dll" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anmbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 3c8c92d482f83404f466883175967a90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ollqllod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljpjc32.dll" Jmlobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geilah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjqlaec.dll" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peeabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alaccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfimp32.dll" Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokalbod.dll" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjdcghg.dll" Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijimli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdaabk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlgai32.dll" Hoalia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgaahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnehjal.dll" Gbjpem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakfjp32.dll" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalnli32.dll" Ahcjmkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiagedmf.dll" Mghfdcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll" Cpohhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 3c8c92d482f83404f466883175967a90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohengmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpmkbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ollqllod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Bbikig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglnmheg.dll" Pkojoghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhec32.dll" Hclhjpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oapcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqaiha32.dll" Hgfheodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpohhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojkhjabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckkenikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphkcaig.dll" Pfnhkq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2224 1316 3c8c92d482f83404f466883175967a90N.exe 30 PID 1316 wrote to memory of 2224 1316 3c8c92d482f83404f466883175967a90N.exe 30 PID 1316 wrote to memory of 2224 1316 3c8c92d482f83404f466883175967a90N.exe 30 PID 1316 wrote to memory of 2224 1316 3c8c92d482f83404f466883175967a90N.exe 30 PID 2224 wrote to memory of 2748 2224 Fedfgejh.exe 31 PID 2224 wrote to memory of 2748 2224 Fedfgejh.exe 31 PID 2224 wrote to memory of 2748 2224 Fedfgejh.exe 31 PID 2224 wrote to memory of 2748 2224 Fedfgejh.exe 31 PID 2748 wrote to memory of 2992 2748 Fhbbcail.exe 32 PID 2748 wrote to memory of 2992 2748 Fhbbcail.exe 32 PID 2748 wrote to memory of 2992 2748 Fhbbcail.exe 32 PID 2748 wrote to memory of 2992 2748 Fhbbcail.exe 32 PID 2992 wrote to memory of 2884 2992 Fakglf32.exe 33 PID 2992 wrote to memory of 2884 2992 Fakglf32.exe 33 PID 2992 wrote to memory of 2884 2992 Fakglf32.exe 33 PID 2992 wrote to memory of 2884 2992 Fakglf32.exe 33 PID 2884 wrote to memory of 688 2884 Fheoiqgi.exe 34 PID 2884 wrote to memory of 688 2884 Fheoiqgi.exe 34 PID 2884 wrote to memory of 688 2884 Fheoiqgi.exe 34 PID 2884 wrote to memory of 688 2884 Fheoiqgi.exe 34 PID 688 wrote to memory of 2660 688 Famcbf32.exe 35 PID 688 wrote to memory of 2660 688 Famcbf32.exe 35 PID 688 wrote to memory of 2660 688 Famcbf32.exe 35 PID 688 wrote to memory of 2660 688 Famcbf32.exe 35 PID 2660 wrote to memory of 1640 2660 Fhglop32.exe 36 PID 2660 wrote to memory of 1640 2660 Fhglop32.exe 36 PID 2660 wrote to memory of 1640 2660 Fhglop32.exe 36 PID 2660 wrote to memory of 1640 2660 Fhglop32.exe 36 PID 1640 wrote to memory of 2904 1640 Fappgflg.exe 37 PID 1640 wrote to memory of 2904 1640 Fappgflg.exe 37 PID 1640 wrote to memory of 2904 1640 Fappgflg.exe 37 PID 1640 wrote to memory of 2904 1640 Fappgflg.exe 37 PID 2904 wrote to memory of 1008 2904 Fhjhdp32.exe 38 PID 2904 wrote to memory of 1008 2904 Fhjhdp32.exe 38 PID 2904 wrote to memory of 1008 2904 Fhjhdp32.exe 38 PID 2904 wrote to memory of 1008 2904 Fhjhdp32.exe 38 PID 1008 wrote to memory of 1932 1008 Fmfalg32.exe 39 PID 1008 wrote to memory of 1932 1008 Fmfalg32.exe 39 PID 1008 wrote to memory of 1932 1008 Fmfalg32.exe 39 PID 1008 wrote to memory of 1932 1008 Fmfalg32.exe 39 PID 1932 wrote to memory of 2924 1932 Fdqiiaih.exe 40 PID 1932 wrote to memory of 2924 1932 Fdqiiaih.exe 40 PID 1932 wrote to memory of 2924 1932 Fdqiiaih.exe 40 PID 1932 wrote to memory of 2924 1932 Fdqiiaih.exe 40 PID 2924 wrote to memory of 2344 2924 Gjjafkpe.exe 41 PID 2924 wrote to memory of 2344 2924 Gjjafkpe.exe 41 PID 2924 wrote to memory of 2344 2924 Gjjafkpe.exe 41 PID 2924 wrote to memory of 2344 2924 Gjjafkpe.exe 41 PID 2344 wrote to memory of 1956 2344 Gllnnc32.exe 42 PID 2344 wrote to memory of 1956 2344 Gllnnc32.exe 42 PID 2344 wrote to memory of 1956 2344 Gllnnc32.exe 42 PID 2344 wrote to memory of 1956 2344 Gllnnc32.exe 42 PID 1956 wrote to memory of 772 1956 Gipngg32.exe 43 PID 1956 wrote to memory of 772 1956 Gipngg32.exe 43 PID 1956 wrote to memory of 772 1956 Gipngg32.exe 43 PID 1956 wrote to memory of 772 1956 Gipngg32.exe 43 PID 772 wrote to memory of 2236 772 Gpjfcali.exe 44 PID 772 wrote to memory of 2236 772 Gpjfcali.exe 44 PID 772 wrote to memory of 2236 772 Gpjfcali.exe 44 PID 772 wrote to memory of 2236 772 Gpjfcali.exe 44 PID 2236 wrote to memory of 812 2236 Gefolhja.exe 45 PID 2236 wrote to memory of 812 2236 Gefolhja.exe 45 PID 2236 wrote to memory of 812 2236 Gefolhja.exe 45 PID 2236 wrote to memory of 812 2236 Gefolhja.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8c92d482f83404f466883175967a90N.exe"C:\Users\Admin\AppData\Local\Temp\3c8c92d482f83404f466883175967a90N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe38⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe40⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe41⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe42⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe43⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe44⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe45⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe47⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe48⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe52⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe53⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe54⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe56⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe57⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe59⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe63⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe67⤵PID:2024
-
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe69⤵PID:2608
-
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe71⤵PID:3068
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe72⤵PID:1376
-
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe75⤵PID:2180
-
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe78⤵PID:1808
-
C:\Windows\SysWOW64\Kjkbpp32.exeC:\Windows\system32\Kjkbpp32.exe79⤵PID:2404
-
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe81⤵PID:1624
-
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe83⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe84⤵PID:2184
-
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe85⤵PID:2676
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe87⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe88⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe89⤵PID:1524
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe90⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe91⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe93⤵PID:1780
-
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe94⤵PID:2984
-
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe95⤵PID:1484
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe98⤵PID:2604
-
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe100⤵PID:2844
-
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe101⤵PID:2200
-
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe103⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe106⤵PID:3028
-
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe107⤵PID:1480
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe110⤵PID:2772
-
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe113⤵
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe115⤵PID:1896
-
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe116⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe117⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe119⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe120⤵PID:1532
-
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe121⤵PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-