Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 17:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0c08064a07e228501d161249af029a0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
c0c08064a07e228501d161249af029a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c0c08064a07e228501d161249af029a0N.exe
-
Size
64KB
-
MD5
c0c08064a07e228501d161249af029a0
-
SHA1
25e13d7c91c0bcd6ecc439a8303028be1b50d1bd
-
SHA256
dc0cc260adb6fa57b858b1416b30610ba22ba5dbd92388c55a1a691fec2b1fb5
-
SHA512
e4dc505936a0514ffed06fa0e07cc5aa41da5933e367de73443188f2ab902154c2de577672106e86d7699ac756d1feeaaa044dbfca1f86493c82069115cdbccb
-
SSDEEP
768:rd1cFlXjCZUmqvFJmZ49m6g9z3L6lC6CjR/1H5HZAQ6AfX8tG9nB6rRIrztrTmks:jcvjMqvFMZ49mB9rL6EQQ6OX8UwwPnBm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflcglho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaiamamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnlbbiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooacegfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccdhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpllpoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpkmljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdlbdken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmlffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkhiebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjchnclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocoodjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limhmije.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkhiebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgenbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcgpjkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfillm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhhiiok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcnfhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbagfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abogpiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljmjmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnonaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bannajom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cblogb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjgacnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoboj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnbop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddchlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhobea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifgml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolmapfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mioaalkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Focdad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcomafnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdjdpdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhpoalho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjhlqbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdlbdken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klaojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiimnjmp.exe -
Executes dropped EXE 64 IoCs
pid Process 2452 Anjjjn32.exe 3064 Bjqjoolp.exe 2904 Bcklmdqn.exe 2128 Bfldopno.exe 2668 Cgpnlgak.exe 2580 Ccfoah32.exe 2204 Cajokmfi.exe 2144 Cnnpdaeb.exe 2080 Cpbiaiin.exe 1516 Diljpn32.exe 1576 Deckeo32.exe 1564 Deegjo32.exe 1756 Ddmaak32.exe 2316 Ehkjgi32.exe 3040 Eklbid32.exe 1676 Emmljodk.exe 2436 Eaoadb32.exe 2096 Faanibeh.exe 2440 Flfbfken.exe 2004 Facjobce.exe 1556 Fnjkdcii.exe 1452 Fhpoalho.exe 1776 Fjchnclk.exe 1672 Gdimlllq.exe 892 Ipnigl32.exe 2280 Jbclcf32.exe 2120 Jifjod32.exe 2624 Jppbkoaf.exe 2636 Kpdlfn32.exe 2692 Klkmkoce.exe 1684 Kedaddif.exe 2564 Kajbie32.exe 3060 Koobcj32.exe 1728 Kkechk32.exe 428 Lkgpmj32.exe 2868 Lccdamop.exe 1540 Llkijb32.exe 556 Lgqmhk32.exe 2044 Lqknfq32.exe 2340 Mhfckc32.exe 2132 Mclghl32.exe 2336 Mbadih32.exe 108 Mqfajdpe.exe 1860 Mnjaci32.exe 1368 Mjabhjec.exe 668 Ngecbndm.exe 868 Nppgfp32.exe 952 Nfjpcjhe.exe 3012 Nmdhpd32.exe 1752 Ncnplogn.exe 2480 Njhhiiok.exe 2736 Npeaapmb.exe 2764 Ncqmbn32.exe 2620 Nimeje32.exe 2536 Nbfjckjc.exe 1972 Olnnlpqd.exe 1816 Obhfhj32.exe 2424 Oheoaa32.exe 1072 Onognkne.exe 2572 Oamcjgmi.exe 1048 Olchgp32.exe 2180 Omddohbm.exe 2632 Ohjhlqbc.exe 604 Omfadgqj.exe -
Loads dropped DLL 64 IoCs
pid Process 1420 c0c08064a07e228501d161249af029a0N.exe 1420 c0c08064a07e228501d161249af029a0N.exe 2452 Anjjjn32.exe 2452 Anjjjn32.exe 3064 Bjqjoolp.exe 3064 Bjqjoolp.exe 2904 Bcklmdqn.exe 2904 Bcklmdqn.exe 2128 Bfldopno.exe 2128 Bfldopno.exe 2668 Cgpnlgak.exe 2668 Cgpnlgak.exe 2580 Ccfoah32.exe 2580 Ccfoah32.exe 2204 Cajokmfi.exe 2204 Cajokmfi.exe 2144 Cnnpdaeb.exe 2144 Cnnpdaeb.exe 2080 Cpbiaiin.exe 2080 Cpbiaiin.exe 1516 Diljpn32.exe 1516 Diljpn32.exe 1576 Deckeo32.exe 1576 Deckeo32.exe 1564 Deegjo32.exe 1564 Deegjo32.exe 1756 Ddmaak32.exe 1756 Ddmaak32.exe 2316 Ehkjgi32.exe 2316 Ehkjgi32.exe 3040 Eklbid32.exe 3040 Eklbid32.exe 1676 Emmljodk.exe 1676 Emmljodk.exe 2436 Eaoadb32.exe 2436 Eaoadb32.exe 2096 Faanibeh.exe 2096 Faanibeh.exe 2440 Flfbfken.exe 2440 Flfbfken.exe 2004 Facjobce.exe 2004 Facjobce.exe 1556 Fnjkdcii.exe 1556 Fnjkdcii.exe 1452 Fhpoalho.exe 1452 Fhpoalho.exe 1776 Fjchnclk.exe 1776 Fjchnclk.exe 1672 Gdimlllq.exe 1672 Gdimlllq.exe 892 Ipnigl32.exe 892 Ipnigl32.exe 2280 Jbclcf32.exe 2280 Jbclcf32.exe 2120 Jifjod32.exe 2120 Jifjod32.exe 2624 Jppbkoaf.exe 2624 Jppbkoaf.exe 2636 Kpdlfn32.exe 2636 Kpdlfn32.exe 2692 Klkmkoce.exe 2692 Klkmkoce.exe 1684 Kedaddif.exe 1684 Kedaddif.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fmkgaqfc.dll Hlcimd32.exe File created C:\Windows\SysWOW64\Obohhd32.dll Ipmgppdk.exe File created C:\Windows\SysWOW64\Hpbfed32.exe Hblifphg.exe File created C:\Windows\SysWOW64\Acglco32.dll Ppkccn32.exe File created C:\Windows\SysWOW64\Okkcioak.dll Bmnpba32.exe File created C:\Windows\SysWOW64\Ifikfcaa.dll Process not Found File created C:\Windows\SysWOW64\Jdjlbnnb.dll Process not Found File created C:\Windows\SysWOW64\Obhfhj32.exe Olnnlpqd.exe File created C:\Windows\SysWOW64\Jaiknk32.exe Jgqfefpe.exe File created C:\Windows\SysWOW64\Gfpnkheh.dll Process not Found File created C:\Windows\SysWOW64\Iiaiih32.dll Gemham32.exe File created C:\Windows\SysWOW64\Opfdfmka.exe Nepphdkl.exe File opened for modification C:\Windows\SysWOW64\Ckjaih32.exe Bppqhjnp.exe File opened for modification C:\Windows\SysWOW64\Mhpkmc32.exe Process not Found File created C:\Windows\SysWOW64\Hkgmkbih.exe Hbohblcg.exe File created C:\Windows\SysWOW64\Pcghicbm.dll Aljinncb.exe File created C:\Windows\SysWOW64\Epkijl32.dll Lelphbon.exe File opened for modification C:\Windows\SysWOW64\Lpadghie.exe Lkdloakn.exe File opened for modification C:\Windows\SysWOW64\Pmmipkmh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dcjcmg32.exe Process not Found File created C:\Windows\SysWOW64\Glkfhb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nomofini.exe Process not Found File created C:\Windows\SysWOW64\Ggmlffbo.exe Gapcnodg.exe File opened for modification C:\Windows\SysWOW64\Bbehebak.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjkmjopm.exe Jendbhbe.exe File created C:\Windows\SysWOW64\Fdghii32.dll Process not Found File created C:\Windows\SysWOW64\Pllmhc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pbjknlgc.exe Process not Found File created C:\Windows\SysWOW64\Dfgeqgpn.dll Process not Found File created C:\Windows\SysWOW64\Pchdcb32.exe Pjpojljg.exe File opened for modification C:\Windows\SysWOW64\Lfopbojj.exe Lnhhab32.exe File opened for modification C:\Windows\SysWOW64\Bpedai32.exe Process not Found File created C:\Windows\SysWOW64\Eafblgqc.dll Eklbid32.exe File opened for modification C:\Windows\SysWOW64\Nkeimmdk.exe Nehqdf32.exe File created C:\Windows\SysWOW64\Jnnejo32.exe Jmmhbfjq.exe File opened for modification C:\Windows\SysWOW64\Mibmdq32.exe Lpjhkkbc.exe File opened for modification C:\Windows\SysWOW64\Pdaleoef.exe Pcapkl32.exe File opened for modification C:\Windows\SysWOW64\Mfillm32.exe Mhelbine.exe File created C:\Windows\SysWOW64\Ghmmhl32.dll Process not Found File created C:\Windows\SysWOW64\Hbnajbjm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jcdaah32.exe Jinmco32.exe File created C:\Windows\SysWOW64\Bhecnndq.exe Bgffdk32.exe File created C:\Windows\SysWOW64\Abflnp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ffhoam32.exe Emojih32.exe File created C:\Windows\SysWOW64\Qabhchlj.dll Fppcjcfn.exe File opened for modification C:\Windows\SysWOW64\Njfnlahb.exe Nfhefc32.exe File created C:\Windows\SysWOW64\Kgeppn32.dll Bpfgheco.exe File created C:\Windows\SysWOW64\Oppmoijn.dll Ddchlj32.exe File created C:\Windows\SysWOW64\Gdjdpb32.dll Process not Found File created C:\Windows\SysWOW64\Hmbgllob.dll Process not Found File created C:\Windows\SysWOW64\Lkmhbpqc.dll Facjobce.exe File created C:\Windows\SysWOW64\Hgagdp32.dll Klaojm32.exe File opened for modification C:\Windows\SysWOW64\Ehnjpg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Enliccgh.exe Ebehob32.exe File opened for modification C:\Windows\SysWOW64\Eacnbkkk.exe Eihini32.exe File opened for modification C:\Windows\SysWOW64\Hnimgcjd.exe Hmhppk32.exe File created C:\Windows\SysWOW64\Mahbhmlg.dll Ganiah32.exe File created C:\Windows\SysWOW64\Oqnhkhla.exe Oomlcp32.exe File opened for modification C:\Windows\SysWOW64\Fcbdbhme.exe Fjipic32.exe File created C:\Windows\SysWOW64\Mbbimk32.dll Olbepc32.exe File created C:\Windows\SysWOW64\Qfoockec.exe Pobjaapi.exe File created C:\Windows\SysWOW64\Nfoqlokg.dll Ggmlffbo.exe File created C:\Windows\SysWOW64\Jdeigc32.exe Jnkajiof.exe File created C:\Windows\SysWOW64\Lemeboch.dll Bmjnlp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogjofae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbobaoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaokjaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfaia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgficdgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jclqefac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phplfcoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnpba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfajdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmginaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cknikooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondcacad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlmfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppbkoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgmkbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjkfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldnhfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnobmnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkmnpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbngf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciemfcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acffenmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoacqggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdblcpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqcbjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohifedep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobjaapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmqbaeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okamjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofbahdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkjpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akemjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhecnndq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkggn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgdhnml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbpbpej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdlodmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmikdml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemkijdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocfkifp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpgoaplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfeek32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellekd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkonmooq.dll" Bppqhjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdkjpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjgbi32.dll" Kbflbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhoknbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaeqe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbjfjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ominjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofcplid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhpoalho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmobn32.dll" Lnnkmdfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onefel32.dll" Mneancpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pllfmb32.dll" Ghebpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feqkhl32.dll" Holcka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeahc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blodbffq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhmcpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcean32.dll" Fogmaoib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onognkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqfajdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcknpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abpkhh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ominjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoacqggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocpkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kggcgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicfeogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnonaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpkamiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jplome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmlgdfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffpaa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kniigilp.dll" Lkgpmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkcmgein.dll" Ikbidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkqko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elhbodka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgefeglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinflf32.dll" Pibmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfllce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgnlf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjknnam.dll" Lkdqao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnejifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiloak32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaqnkmp.dll" Kfgfpoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhimcmm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghcdg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdegeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcfmnd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 2452 1420 c0c08064a07e228501d161249af029a0N.exe 29 PID 1420 wrote to memory of 2452 1420 c0c08064a07e228501d161249af029a0N.exe 29 PID 1420 wrote to memory of 2452 1420 c0c08064a07e228501d161249af029a0N.exe 29 PID 1420 wrote to memory of 2452 1420 c0c08064a07e228501d161249af029a0N.exe 29 PID 2452 wrote to memory of 3064 2452 Anjjjn32.exe 30 PID 2452 wrote to memory of 3064 2452 Anjjjn32.exe 30 PID 2452 wrote to memory of 3064 2452 Anjjjn32.exe 30 PID 2452 wrote to memory of 3064 2452 Anjjjn32.exe 30 PID 3064 wrote to memory of 2904 3064 Bjqjoolp.exe 31 PID 3064 wrote to memory of 2904 3064 Bjqjoolp.exe 31 PID 3064 wrote to memory of 2904 3064 Bjqjoolp.exe 31 PID 3064 wrote to memory of 2904 3064 Bjqjoolp.exe 31 PID 2904 wrote to memory of 2128 2904 Bcklmdqn.exe 32 PID 2904 wrote to memory of 2128 2904 Bcklmdqn.exe 32 PID 2904 wrote to memory of 2128 2904 Bcklmdqn.exe 32 PID 2904 wrote to memory of 2128 2904 Bcklmdqn.exe 32 PID 2128 wrote to memory of 2668 2128 Bfldopno.exe 33 PID 2128 wrote to memory of 2668 2128 Bfldopno.exe 33 PID 2128 wrote to memory of 2668 2128 Bfldopno.exe 33 PID 2128 wrote to memory of 2668 2128 Bfldopno.exe 33 PID 2668 wrote to memory of 2580 2668 Cgpnlgak.exe 34 PID 2668 wrote to memory of 2580 2668 Cgpnlgak.exe 34 PID 2668 wrote to memory of 2580 2668 Cgpnlgak.exe 34 PID 2668 wrote to memory of 2580 2668 Cgpnlgak.exe 34 PID 2580 wrote to memory of 2204 2580 Ccfoah32.exe 35 PID 2580 wrote to memory of 2204 2580 Ccfoah32.exe 35 PID 2580 wrote to memory of 2204 2580 Ccfoah32.exe 35 PID 2580 wrote to memory of 2204 2580 Ccfoah32.exe 35 PID 2204 wrote to memory of 2144 2204 Cajokmfi.exe 36 PID 2204 wrote to memory of 2144 2204 Cajokmfi.exe 36 PID 2204 wrote to memory of 2144 2204 Cajokmfi.exe 36 PID 2204 wrote to memory of 2144 2204 Cajokmfi.exe 36 PID 2144 wrote to memory of 2080 2144 Cnnpdaeb.exe 37 PID 2144 wrote to memory of 2080 2144 Cnnpdaeb.exe 37 PID 2144 wrote to memory of 2080 2144 Cnnpdaeb.exe 37 PID 2144 wrote to memory of 2080 2144 Cnnpdaeb.exe 37 PID 2080 wrote to memory of 1516 2080 Cpbiaiin.exe 38 PID 2080 wrote to memory of 1516 2080 Cpbiaiin.exe 38 PID 2080 wrote to memory of 1516 2080 Cpbiaiin.exe 38 PID 2080 wrote to memory of 1516 2080 Cpbiaiin.exe 38 PID 1516 wrote to memory of 1576 1516 Diljpn32.exe 39 PID 1516 wrote to memory of 1576 1516 Diljpn32.exe 39 PID 1516 wrote to memory of 1576 1516 Diljpn32.exe 39 PID 1516 wrote to memory of 1576 1516 Diljpn32.exe 39 PID 1576 wrote to memory of 1564 1576 Deckeo32.exe 40 PID 1576 wrote to memory of 1564 1576 Deckeo32.exe 40 PID 1576 wrote to memory of 1564 1576 Deckeo32.exe 40 PID 1576 wrote to memory of 1564 1576 Deckeo32.exe 40 PID 1564 wrote to memory of 1756 1564 Deegjo32.exe 41 PID 1564 wrote to memory of 1756 1564 Deegjo32.exe 41 PID 1564 wrote to memory of 1756 1564 Deegjo32.exe 41 PID 1564 wrote to memory of 1756 1564 Deegjo32.exe 41 PID 1756 wrote to memory of 2316 1756 Ddmaak32.exe 42 PID 1756 wrote to memory of 2316 1756 Ddmaak32.exe 42 PID 1756 wrote to memory of 2316 1756 Ddmaak32.exe 42 PID 1756 wrote to memory of 2316 1756 Ddmaak32.exe 42 PID 2316 wrote to memory of 3040 2316 Ehkjgi32.exe 43 PID 2316 wrote to memory of 3040 2316 Ehkjgi32.exe 43 PID 2316 wrote to memory of 3040 2316 Ehkjgi32.exe 43 PID 2316 wrote to memory of 3040 2316 Ehkjgi32.exe 43 PID 3040 wrote to memory of 1676 3040 Eklbid32.exe 44 PID 3040 wrote to memory of 1676 3040 Eklbid32.exe 44 PID 3040 wrote to memory of 1676 3040 Eklbid32.exe 44 PID 3040 wrote to memory of 1676 3040 Eklbid32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0c08064a07e228501d161249af029a0N.exe"C:\Users\Admin\AppData\Local\Temp\c0c08064a07e228501d161249af029a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Bjqjoolp.exeC:\Windows\system32\Bjqjoolp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Bcklmdqn.exeC:\Windows\system32\Bcklmdqn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bfldopno.exeC:\Windows\system32\Bfldopno.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ccfoah32.exeC:\Windows\system32\Ccfoah32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Cajokmfi.exeC:\Windows\system32\Cajokmfi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cnnpdaeb.exeC:\Windows\system32\Cnnpdaeb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Cpbiaiin.exeC:\Windows\system32\Cpbiaiin.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Deckeo32.exeC:\Windows\system32\Deckeo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Deegjo32.exeC:\Windows\system32\Deegjo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ddmaak32.exeC:\Windows\system32\Ddmaak32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Ehkjgi32.exeC:\Windows\system32\Ehkjgi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Eklbid32.exeC:\Windows\system32\Eklbid32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Emmljodk.exeC:\Windows\system32\Emmljodk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Eaoadb32.exeC:\Windows\system32\Eaoadb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Faanibeh.exeC:\Windows\system32\Faanibeh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Flfbfken.exeC:\Windows\system32\Flfbfken.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Fnjkdcii.exeC:\Windows\system32\Fnjkdcii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Fhpoalho.exeC:\Windows\system32\Fhpoalho.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Fjchnclk.exeC:\Windows\system32\Fjchnclk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Gdimlllq.exeC:\Windows\system32\Gdimlllq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Ipnigl32.exeC:\Windows\system32\Ipnigl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Jbclcf32.exeC:\Windows\system32\Jbclcf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jifjod32.exeC:\Windows\system32\Jifjod32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Kpdlfn32.exeC:\Windows\system32\Kpdlfn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Kedaddif.exeC:\Windows\system32\Kedaddif.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe33⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Koobcj32.exeC:\Windows\system32\Koobcj32.exe34⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kkechk32.exeC:\Windows\system32\Kkechk32.exe35⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Lkgpmj32.exeC:\Windows\system32\Lkgpmj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Lccdamop.exeC:\Windows\system32\Lccdamop.exe37⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Llkijb32.exeC:\Windows\system32\Llkijb32.exe38⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Lgqmhk32.exeC:\Windows\system32\Lgqmhk32.exe39⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Lqknfq32.exeC:\Windows\system32\Lqknfq32.exe40⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mhfckc32.exeC:\Windows\system32\Mhfckc32.exe41⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mclghl32.exeC:\Windows\system32\Mclghl32.exe42⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mbadih32.exeC:\Windows\system32\Mbadih32.exe43⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Mqfajdpe.exeC:\Windows\system32\Mqfajdpe.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Mnjaci32.exeC:\Windows\system32\Mnjaci32.exe45⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Mjabhjec.exeC:\Windows\system32\Mjabhjec.exe46⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ngecbndm.exeC:\Windows\system32\Ngecbndm.exe47⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Nppgfp32.exeC:\Windows\system32\Nppgfp32.exe48⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Nfjpcjhe.exeC:\Windows\system32\Nfjpcjhe.exe49⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Nmdhpd32.exeC:\Windows\system32\Nmdhpd32.exe50⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ncnplogn.exeC:\Windows\system32\Ncnplogn.exe51⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Njhhiiok.exeC:\Windows\system32\Njhhiiok.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Npeaapmb.exeC:\Windows\system32\Npeaapmb.exe53⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ncqmbn32.exeC:\Windows\system32\Ncqmbn32.exe54⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Nimeje32.exeC:\Windows\system32\Nimeje32.exe55⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Nbfjckjc.exeC:\Windows\system32\Nbfjckjc.exe56⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Olnnlpqd.exeC:\Windows\system32\Olnnlpqd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Obhfhj32.exeC:\Windows\system32\Obhfhj32.exe58⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Oheoaa32.exeC:\Windows\system32\Oheoaa32.exe59⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Onognkne.exeC:\Windows\system32\Onognkne.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Oamcjgmi.exeC:\Windows\system32\Oamcjgmi.exe61⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Olchgp32.exeC:\Windows\system32\Olchgp32.exe62⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Omddohbm.exeC:\Windows\system32\Omddohbm.exe63⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ohjhlqbc.exeC:\Windows\system32\Ohjhlqbc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Omfadgqj.exeC:\Windows\system32\Omfadgqj.exe65⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Opempcpn.exeC:\Windows\system32\Opempcpn.exe66⤵PID:924
-
C:\Windows\SysWOW64\Ominjg32.exeC:\Windows\system32\Ominjg32.exe67⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Opgjfb32.exeC:\Windows\system32\Opgjfb32.exe68⤵PID:1740
-
C:\Windows\SysWOW64\Pjmnck32.exeC:\Windows\system32\Pjmnck32.exe69⤵PID:2876
-
C:\Windows\SysWOW64\Ppjfkb32.exeC:\Windows\system32\Ppjfkb32.exe70⤵PID:876
-
C:\Windows\SysWOW64\Pmngef32.exeC:\Windows\system32\Pmngef32.exe71⤵PID:3028
-
C:\Windows\SysWOW64\Pplcabif.exeC:\Windows\system32\Pplcabif.exe72⤵PID:1716
-
C:\Windows\SysWOW64\Pfflnl32.exeC:\Windows\system32\Pfflnl32.exe73⤵PID:3056
-
C:\Windows\SysWOW64\Pidhjg32.exeC:\Windows\system32\Pidhjg32.exe74⤵PID:2844
-
C:\Windows\SysWOW64\Pifdog32.exeC:\Windows\system32\Pifdog32.exe75⤵PID:2604
-
C:\Windows\SysWOW64\Pocmhnlk.exeC:\Windows\system32\Pocmhnlk.exe76⤵PID:280
-
C:\Windows\SysWOW64\Plgmabke.exeC:\Windows\system32\Plgmabke.exe77⤵PID:2824
-
C:\Windows\SysWOW64\Qmijij32.exeC:\Windows\system32\Qmijij32.exe78⤵PID:1240
-
C:\Windows\SysWOW64\Qhnnfc32.exeC:\Windows\system32\Qhnnfc32.exe79⤵PID:860
-
C:\Windows\SysWOW64\Qohfcmhf.exeC:\Windows\system32\Qohfcmhf.exe80⤵PID:1396
-
C:\Windows\SysWOW64\Qgckgp32.exeC:\Windows\system32\Qgckgp32.exe81⤵PID:936
-
C:\Windows\SysWOW64\Aaiodh32.exeC:\Windows\system32\Aaiodh32.exe82⤵PID:2312
-
C:\Windows\SysWOW64\Agfhmo32.exeC:\Windows\system32\Agfhmo32.exe83⤵PID:2100
-
C:\Windows\SysWOW64\Apnlee32.exeC:\Windows\system32\Apnlee32.exe84⤵PID:1780
-
C:\Windows\SysWOW64\Ajfanjqo.exeC:\Windows\system32\Ajfanjqo.exe85⤵PID:940
-
C:\Windows\SysWOW64\Appikd32.exeC:\Windows\system32\Appikd32.exe86⤵PID:3016
-
C:\Windows\SysWOW64\Ahlnpg32.exeC:\Windows\system32\Ahlnpg32.exe87⤵PID:1632
-
C:\Windows\SysWOW64\Afpnikda.exeC:\Windows\system32\Afpnikda.exe88⤵PID:1588
-
C:\Windows\SysWOW64\Aklgabbh.exeC:\Windows\system32\Aklgabbh.exe89⤵PID:2748
-
C:\Windows\SysWOW64\Bfbknkbn.exeC:\Windows\system32\Bfbknkbn.exe90⤵PID:2836
-
C:\Windows\SysWOW64\Bbilclhb.exeC:\Windows\system32\Bbilclhb.exe91⤵PID:808
-
C:\Windows\SysWOW64\Bgedlbfj.exeC:\Windows\system32\Bgedlbfj.exe92⤵PID:2176
-
C:\Windows\SysWOW64\Dccgpf32.exeC:\Windows\system32\Dccgpf32.exe93⤵PID:2948
-
C:\Windows\SysWOW64\Dpoapf32.exeC:\Windows\system32\Dpoapf32.exe94⤵PID:1356
-
C:\Windows\SysWOW64\Fgkbac32.exeC:\Windows\system32\Fgkbac32.exe95⤵PID:3044
-
C:\Windows\SysWOW64\Fapgolal.exeC:\Windows\system32\Fapgolal.exe96⤵PID:1352
-
C:\Windows\SysWOW64\Fgmogcpc.exeC:\Windows\system32\Fgmogcpc.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Fmggdm32.exeC:\Windows\system32\Fmggdm32.exe98⤵PID:2016
-
C:\Windows\SysWOW64\Fdapqgom.exeC:\Windows\system32\Fdapqgom.exe99⤵PID:2928
-
C:\Windows\SysWOW64\Feblho32.exeC:\Windows\system32\Feblho32.exe100⤵PID:840
-
C:\Windows\SysWOW64\Fgaibb32.exeC:\Windows\system32\Fgaibb32.exe101⤵PID:2744
-
C:\Windows\SysWOW64\Floaji32.exeC:\Windows\system32\Floaji32.exe102⤵PID:2800
-
C:\Windows\SysWOW64\Fchigcab.exeC:\Windows\system32\Fchigcab.exe103⤵PID:2716
-
C:\Windows\SysWOW64\Gegecopf.exeC:\Windows\system32\Gegecopf.exe104⤵PID:1476
-
C:\Windows\SysWOW64\Ghebpjpj.exeC:\Windows\system32\Ghebpjpj.exe105⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Goojldgf.exeC:\Windows\system32\Goojldgf.exe106⤵PID:1296
-
C:\Windows\SysWOW64\Gdlbdken.exeC:\Windows\system32\Gdlbdken.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Glckehfp.exeC:\Windows\system32\Glckehfp.exe108⤵PID:3052
-
C:\Windows\SysWOW64\Goagaded.exeC:\Windows\system32\Goagaded.exe109⤵PID:2008
-
C:\Windows\SysWOW64\Gapcnodg.exeC:\Windows\system32\Gapcnodg.exe110⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Ggmlffbo.exeC:\Windows\system32\Ggmlffbo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Godcgcca.exeC:\Windows\system32\Godcgcca.exe112⤵PID:2192
-
C:\Windows\SysWOW64\Gqepolio.exeC:\Windows\system32\Gqepolio.exe113⤵PID:1544
-
C:\Windows\SysWOW64\Ghlhpiia.exeC:\Windows\system32\Ghlhpiia.exe114⤵PID:2476
-
C:\Windows\SysWOW64\Gkkdldhe.exeC:\Windows\system32\Gkkdldhe.exe115⤵PID:2656
-
C:\Windows\SysWOW64\Gqgmdkgm.exeC:\Windows\system32\Gqgmdkgm.exe116⤵PID:2888
-
C:\Windows\SysWOW64\Ggaeae32.exeC:\Windows\system32\Ggaeae32.exe117⤵PID:1328
-
C:\Windows\SysWOW64\Hnkmnpef.exeC:\Windows\system32\Hnkmnpef.exe118⤵
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Hchfff32.exeC:\Windows\system32\Hchfff32.exe119⤵PID:2856
-
C:\Windows\SysWOW64\Hjbncqkj.exeC:\Windows\system32\Hjbncqkj.exe120⤵PID:3048
-
C:\Windows\SysWOW64\Hckblf32.exeC:\Windows\system32\Hckblf32.exe121⤵PID:836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-