Analysis
-
max time kernel
109s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 20:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe
-
Size
64KB
-
MD5
7da41dd9d83e41d0b0d58fb17e387ff4
-
SHA1
699268f9c481319f031d2a5b74adfcf75796205d
-
SHA256
3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02
-
SHA512
e8cf5c34a1ffe95e696e844d7dfbd1549a847905a79d78a32954a2bf7680aef9030fc89764d35c7f0a3a97fa867738b2eb83036b52bc2e3d808d47284df09a50
-
SSDEEP
768:pr9311ZR1I+ZomRcJ9tdF+GnnwFW8yvgCQ2hLPi4IZCOUT/1H58AXdnhgoEqErtq:pplTRm465FVcW8yTtFheSV1iL+iALMH6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dalaeicf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmlfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcimfalg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebmnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdcfnca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjopbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcgbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocadg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfldopno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmecjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkjolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjikndf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdoamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghaabdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faapbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fogmaoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjnjhcqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qngqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecjkobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdojendk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpfoipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbadj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomhbchn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikehchbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfifk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdcofpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfoinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnonqce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdffijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbgmeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocegln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poodhcfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innkddeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmhknih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmeeqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflkda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqgnolgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbeqalkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljaehlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldbfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgcfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Honpqaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmlomgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoaooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemoebmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkggn32.exe -
Executes dropped EXE 64 IoCs
pid Process 1716 Mgkghp32.exe 2196 Milcphgf.exe 2748 Mcddca32.exe 2360 Mnnecoah.exe 2556 Nbknjm32.exe 2604 Nnboonmb.exe 764 Nfpphp32.exe 2152 Niqijkel.exe 2868 Ojpedn32.exe 1296 Olablfbm.exe 1800 Olcoaf32.exe 2572 Oelcjkgk.exe 1988 Oodhca32.exe 1336 Ohmllf32.exe 2104 Okmena32.exe 2336 Phaegfpg.exe 2820 Phcbmend.exe 1652 Ppogahko.exe 1644 Pkdknq32.exe 1636 Pcppbc32.exe 2004 Pijhompm.exe 1556 Peqidn32.exe 1452 Qcdinbdk.exe 2376 Qlmnfh32.exe 2884 Adhbkj32.exe 2268 Aomghchl.exe 2624 Agikmeeg.exe 1184 Anepooja.exe 2380 Agmehd32.exe 2768 Anjjjn32.exe 2784 Bcfbbe32.exe 2552 Bblocaik.exe 2700 Bkdclgpl.exe 2512 Bmcpfj32.exe 2092 Bfldopno.exe 1540 Cjnjhcqo.exe 900 Cahbem32.exe 1700 Cefkkk32.exe 1724 Cnnpdaeb.exe 1808 Cpolli32.exe 2916 Cijmjn32.exe 3052 Cpdeghgk.exe 2184 Diljpn32.exe 1568 Dpfblh32.exe 2412 Ddkdkk32.exe 2440 Dkelhemb.exe 692 Eobenc32.exe 868 Edpnfjap.exe 1964 Ekifcd32.exe 1532 Eacnpoqi.exe 2488 Edbjljpm.exe 2640 Eklbid32.exe 2808 Ephkak32.exe 2764 Eiapjq32.exe 2648 Eonhbg32.exe 2960 Ehfmkmqj.exe 2628 Eopehg32.exe 880 Fkgemh32.exe 1732 Fcnmne32.exe 852 Fdojendk.exe 2856 Flfbfken.exe 1048 Foencfda.exe 2136 Facjobce.exe 3020 Fhmblljb.exe -
Loads dropped DLL 64 IoCs
pid Process 2028 3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe 2028 3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe 1716 Mgkghp32.exe 1716 Mgkghp32.exe 2196 Milcphgf.exe 2196 Milcphgf.exe 2748 Mcddca32.exe 2748 Mcddca32.exe 2360 Mnnecoah.exe 2360 Mnnecoah.exe 2556 Nbknjm32.exe 2556 Nbknjm32.exe 2604 Nnboonmb.exe 2604 Nnboonmb.exe 764 Nfpphp32.exe 764 Nfpphp32.exe 2152 Niqijkel.exe 2152 Niqijkel.exe 2868 Ojpedn32.exe 2868 Ojpedn32.exe 1296 Olablfbm.exe 1296 Olablfbm.exe 1800 Olcoaf32.exe 1800 Olcoaf32.exe 2572 Oelcjkgk.exe 2572 Oelcjkgk.exe 1988 Oodhca32.exe 1988 Oodhca32.exe 1336 Ohmllf32.exe 1336 Ohmllf32.exe 2104 Okmena32.exe 2104 Okmena32.exe 2336 Phaegfpg.exe 2336 Phaegfpg.exe 2820 Phcbmend.exe 2820 Phcbmend.exe 1652 Ppogahko.exe 1652 Ppogahko.exe 1644 Pkdknq32.exe 1644 Pkdknq32.exe 1636 Pcppbc32.exe 1636 Pcppbc32.exe 2004 Pijhompm.exe 2004 Pijhompm.exe 1556 Peqidn32.exe 1556 Peqidn32.exe 1452 Qcdinbdk.exe 1452 Qcdinbdk.exe 2376 Qlmnfh32.exe 2376 Qlmnfh32.exe 2884 Adhbkj32.exe 2884 Adhbkj32.exe 2268 Aomghchl.exe 2268 Aomghchl.exe 2624 Agikmeeg.exe 2624 Agikmeeg.exe 1184 Anepooja.exe 1184 Anepooja.exe 2380 Agmehd32.exe 2380 Agmehd32.exe 2768 Anjjjn32.exe 2768 Anjjjn32.exe 2784 Bcfbbe32.exe 2784 Bcfbbe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ofdhpj32.dll Bannajom.exe File created C:\Windows\SysWOW64\Djibjkmd.dll Bbggdf32.exe File created C:\Windows\SysWOW64\Ebqigf32.dll Bhhbmfjb.exe File opened for modification C:\Windows\SysWOW64\Dogbll32.exe Ddanoc32.exe File opened for modification C:\Windows\SysWOW64\Okmena32.exe Ohmllf32.exe File opened for modification C:\Windows\SysWOW64\Bghaabdg.exe Bhbdpf32.exe File created C:\Windows\SysWOW64\Feoihi32.exe Foeqlo32.exe File created C:\Windows\SysWOW64\Fkdenhdn.dll Qecjkobg.exe File created C:\Windows\SysWOW64\Mdenaded.exe Mohfimgm.exe File opened for modification C:\Windows\SysWOW64\Cgbhibkd.exe Cokphejb.exe File created C:\Windows\SysWOW64\Ajfilj32.dll Gmleqnbc.exe File created C:\Windows\SysWOW64\Pqpjee32.exe Pfjfhl32.exe File created C:\Windows\SysWOW64\Cjnjhcqo.exe Bfldopno.exe File created C:\Windows\SysWOW64\Bnmgcmip.dll Dalaeicf.exe File opened for modification C:\Windows\SysWOW64\Fpcbik32.exe Fiijladb.exe File opened for modification C:\Windows\SysWOW64\Cpnbkf32.exe Cgenbadb.exe File created C:\Windows\SysWOW64\Ddikjh32.exe Ddgndigj.exe File created C:\Windows\SysWOW64\Lgjjkiin.exe Lqqboo32.exe File created C:\Windows\SysWOW64\Qpfojp32.exe Ppdbepon.exe File opened for modification C:\Windows\SysWOW64\Ikhkcn32.exe Ioaknmnc.exe File created C:\Windows\SysWOW64\Qkpmkopd.dll Nbknjm32.exe File created C:\Windows\SysWOW64\Kjjokf32.dll Nfpphp32.exe File created C:\Windows\SysWOW64\Pmbdjcai.dll Pfflnl32.exe File created C:\Windows\SysWOW64\Bpfggg32.dll Pmaofnkc.exe File created C:\Windows\SysWOW64\Nnmoob32.dll Khhdkp32.exe File opened for modification C:\Windows\SysWOW64\Jgfdaf32.exe Jgchlg32.exe File opened for modification C:\Windows\SysWOW64\Pleqkb32.exe Papmnj32.exe File opened for modification C:\Windows\SysWOW64\Akical32.exe Adokdbib.exe File opened for modification C:\Windows\SysWOW64\Cokphejb.exe Cmjcpm32.exe File created C:\Windows\SysWOW64\Obgogjmp.dll Ckckim32.exe File opened for modification C:\Windows\SysWOW64\Gmbholim.exe Gnmknp32.exe File opened for modification C:\Windows\SysWOW64\Cnanbijd.exe Cggffocg.exe File created C:\Windows\SysWOW64\Fojjfogp.exe Fhpajd32.exe File created C:\Windows\SysWOW64\Nlejhmge.exe Njfnlahb.exe File created C:\Windows\SysWOW64\Ofgidihm.dll Ijgfflae.exe File opened for modification C:\Windows\SysWOW64\Egfnceik.exe Dpmefkbn.exe File created C:\Windows\SysWOW64\Nfoinj32.exe Nlieqa32.exe File opened for modification C:\Windows\SysWOW64\Aplppela.exe Qhqklcof.exe File created C:\Windows\SysWOW64\Afpnikda.exe Apcfqd32.exe File created C:\Windows\SysWOW64\Aqkloo32.dll Eeemol32.exe File created C:\Windows\SysWOW64\Diigdh32.dll Fhcgbc32.exe File created C:\Windows\SysWOW64\Pmaofnkc.exe Pgdgngml.exe File created C:\Windows\SysWOW64\Qpdenh32.exe Pflpecpa.exe File created C:\Windows\SysWOW64\Gbjofi32.dll Ddlkqe32.exe File opened for modification C:\Windows\SysWOW64\Klejomgl.exe Jpnijlah.exe File created C:\Windows\SysWOW64\Klmlfdqg.dll Ihinkn32.exe File opened for modification C:\Windows\SysWOW64\Bndfclia.exe Bbmeokdm.exe File created C:\Windows\SysWOW64\Djkmkp32.dll Labjcmqf.exe File created C:\Windows\SysWOW64\Imcbkiem.dll Gdanhchm.exe File created C:\Windows\SysWOW64\Nfpphp32.exe Nnboonmb.exe File created C:\Windows\SysWOW64\Qfpggjdh.exe Qpfojp32.exe File opened for modification C:\Windows\SysWOW64\Pjnbem32.exe Pmjbkh32.exe File created C:\Windows\SysWOW64\Fkelke32.exe Fcjggc32.exe File opened for modification C:\Windows\SysWOW64\Eiabbicf.exe Ebgifo32.exe File opened for modification C:\Windows\SysWOW64\Kbcjkbdi.exe Kliboh32.exe File opened for modification C:\Windows\SysWOW64\Hfnjlj32.exe Hcpnpn32.exe File opened for modification C:\Windows\SysWOW64\Nkbjodoj.exe Neeafmqb.exe File created C:\Windows\SysWOW64\Anlammpk.exe Amkdee32.exe File created C:\Windows\SysWOW64\Pplejj32.exe Pegalaad.exe File opened for modification C:\Windows\SysWOW64\Neeafmqb.exe Mlmmmh32.exe File created C:\Windows\SysWOW64\Dgaijn32.dll Kpdlfn32.exe File opened for modification C:\Windows\SysWOW64\Lemejd32.exe Lifdec32.exe File created C:\Windows\SysWOW64\Cqgkkg32.exe Cohoqd32.exe File created C:\Windows\SysWOW64\Oebmnc32.exe Oljhen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5912 1460 Process not Found 1087 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcgalio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjigebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foeqlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckommp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgolhoik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnihbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbjodoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqoamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipiagakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjnbem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eflkda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbadj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgmabke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmlcae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaooj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heomdbla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedaddif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmophe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpofhhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfjckjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geadee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflncjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfgjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofafhck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfmjndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdaleoef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diepifmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daghjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfemqjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnedbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpafa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfplfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didbifoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blghhahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkggn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmjhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnneib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opempcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkdee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqgaphec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcilml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlffncp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlompl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjlinfgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboeap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfoacmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggihhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feglmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlapa32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgoojgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipmlcae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmfjm32.dll" Ehnpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfikjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenchbje.dll" Apchim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjpkn32.dll" Cogjofae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cokphejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajnami32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papogbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdogceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanpnndb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clappaon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdanhchm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbnccgoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Linciami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqpjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbcdinc.dll" Gjffphpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobcmk32.dll" Nbaqhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpcdg32.dll" Jgeppe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apoonnac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkbhi32.dll" Gelaggdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baipemgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmggkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkbcjjo.dll" Fojjfogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laahjdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqhfdj32.dll" Hbffhbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcfifk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcmheqim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfbfelo.dll" Idmllnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Janjolde.dll" Objcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmnkgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olcoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peqidn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fojjfogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbgjnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peeebfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pancmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhdoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapiemhn.dll" Peqidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llfiemfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhgnq32.dll" Aomghchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpnikda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbihj32.dll" Akical32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkiaffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblmdpch.dll" Leaneciq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdeepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lofafhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfecfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coenifch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnddiqcp.dll" Jhpdlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkanl32.dll" Plnkkccp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckciqdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhabbgi.dll" Iqoamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgidihm.dll" Ijgfflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fggajpnb.dll" Ldcema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnaabhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkepl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1716 2028 3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe 29 PID 2028 wrote to memory of 1716 2028 3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe 29 PID 2028 wrote to memory of 1716 2028 3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe 29 PID 2028 wrote to memory of 1716 2028 3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe 29 PID 1716 wrote to memory of 2196 1716 Mgkghp32.exe 30 PID 1716 wrote to memory of 2196 1716 Mgkghp32.exe 30 PID 1716 wrote to memory of 2196 1716 Mgkghp32.exe 30 PID 1716 wrote to memory of 2196 1716 Mgkghp32.exe 30 PID 2196 wrote to memory of 2748 2196 Milcphgf.exe 31 PID 2196 wrote to memory of 2748 2196 Milcphgf.exe 31 PID 2196 wrote to memory of 2748 2196 Milcphgf.exe 31 PID 2196 wrote to memory of 2748 2196 Milcphgf.exe 31 PID 2748 wrote to memory of 2360 2748 Mcddca32.exe 32 PID 2748 wrote to memory of 2360 2748 Mcddca32.exe 32 PID 2748 wrote to memory of 2360 2748 Mcddca32.exe 32 PID 2748 wrote to memory of 2360 2748 Mcddca32.exe 32 PID 2360 wrote to memory of 2556 2360 Mnnecoah.exe 33 PID 2360 wrote to memory of 2556 2360 Mnnecoah.exe 33 PID 2360 wrote to memory of 2556 2360 Mnnecoah.exe 33 PID 2360 wrote to memory of 2556 2360 Mnnecoah.exe 33 PID 2556 wrote to memory of 2604 2556 Nbknjm32.exe 34 PID 2556 wrote to memory of 2604 2556 Nbknjm32.exe 34 PID 2556 wrote to memory of 2604 2556 Nbknjm32.exe 34 PID 2556 wrote to memory of 2604 2556 Nbknjm32.exe 34 PID 2604 wrote to memory of 764 2604 Nnboonmb.exe 35 PID 2604 wrote to memory of 764 2604 Nnboonmb.exe 35 PID 2604 wrote to memory of 764 2604 Nnboonmb.exe 35 PID 2604 wrote to memory of 764 2604 Nnboonmb.exe 35 PID 764 wrote to memory of 2152 764 Nfpphp32.exe 36 PID 764 wrote to memory of 2152 764 Nfpphp32.exe 36 PID 764 wrote to memory of 2152 764 Nfpphp32.exe 36 PID 764 wrote to memory of 2152 764 Nfpphp32.exe 36 PID 2152 wrote to memory of 2868 2152 Niqijkel.exe 37 PID 2152 wrote to memory of 2868 2152 Niqijkel.exe 37 PID 2152 wrote to memory of 2868 2152 Niqijkel.exe 37 PID 2152 wrote to memory of 2868 2152 Niqijkel.exe 37 PID 2868 wrote to memory of 1296 2868 Ojpedn32.exe 38 PID 2868 wrote to memory of 1296 2868 Ojpedn32.exe 38 PID 2868 wrote to memory of 1296 2868 Ojpedn32.exe 38 PID 2868 wrote to memory of 1296 2868 Ojpedn32.exe 38 PID 1296 wrote to memory of 1800 1296 Olablfbm.exe 39 PID 1296 wrote to memory of 1800 1296 Olablfbm.exe 39 PID 1296 wrote to memory of 1800 1296 Olablfbm.exe 39 PID 1296 wrote to memory of 1800 1296 Olablfbm.exe 39 PID 1800 wrote to memory of 2572 1800 Olcoaf32.exe 40 PID 1800 wrote to memory of 2572 1800 Olcoaf32.exe 40 PID 1800 wrote to memory of 2572 1800 Olcoaf32.exe 40 PID 1800 wrote to memory of 2572 1800 Olcoaf32.exe 40 PID 2572 wrote to memory of 1988 2572 Oelcjkgk.exe 41 PID 2572 wrote to memory of 1988 2572 Oelcjkgk.exe 41 PID 2572 wrote to memory of 1988 2572 Oelcjkgk.exe 41 PID 2572 wrote to memory of 1988 2572 Oelcjkgk.exe 41 PID 1988 wrote to memory of 1336 1988 Oodhca32.exe 42 PID 1988 wrote to memory of 1336 1988 Oodhca32.exe 42 PID 1988 wrote to memory of 1336 1988 Oodhca32.exe 42 PID 1988 wrote to memory of 1336 1988 Oodhca32.exe 42 PID 1336 wrote to memory of 2104 1336 Ohmllf32.exe 43 PID 1336 wrote to memory of 2104 1336 Ohmllf32.exe 43 PID 1336 wrote to memory of 2104 1336 Ohmllf32.exe 43 PID 1336 wrote to memory of 2104 1336 Ohmllf32.exe 43 PID 2104 wrote to memory of 2336 2104 Okmena32.exe 44 PID 2104 wrote to memory of 2336 2104 Okmena32.exe 44 PID 2104 wrote to memory of 2336 2104 Okmena32.exe 44 PID 2104 wrote to memory of 2336 2104 Okmena32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe"C:\Users\Admin\AppData\Local\Temp\3df12c6459315213c0dfa95740f7b575c5c49ccf8a0c65a80d47d4d4ad834e02.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Mgkghp32.exeC:\Windows\system32\Mgkghp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Milcphgf.exeC:\Windows\system32\Milcphgf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Mcddca32.exeC:\Windows\system32\Mcddca32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mnnecoah.exeC:\Windows\system32\Mnnecoah.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Nbknjm32.exeC:\Windows\system32\Nbknjm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Nnboonmb.exeC:\Windows\system32\Nnboonmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Nfpphp32.exeC:\Windows\system32\Nfpphp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Niqijkel.exeC:\Windows\system32\Niqijkel.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Ojpedn32.exeC:\Windows\system32\Ojpedn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Olablfbm.exeC:\Windows\system32\Olablfbm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Olcoaf32.exeC:\Windows\system32\Olcoaf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Oelcjkgk.exeC:\Windows\system32\Oelcjkgk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ohmllf32.exeC:\Windows\system32\Ohmllf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Phaegfpg.exeC:\Windows\system32\Phaegfpg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Phcbmend.exeC:\Windows\system32\Phcbmend.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Ppogahko.exeC:\Windows\system32\Ppogahko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Pkdknq32.exeC:\Windows\system32\Pkdknq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Pcppbc32.exeC:\Windows\system32\Pcppbc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Pijhompm.exeC:\Windows\system32\Pijhompm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Peqidn32.exeC:\Windows\system32\Peqidn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Qcdinbdk.exeC:\Windows\system32\Qcdinbdk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Aomghchl.exeC:\Windows\system32\Aomghchl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Bcfbbe32.exeC:\Windows\system32\Bcfbbe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Bblocaik.exeC:\Windows\system32\Bblocaik.exe33⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bkdclgpl.exeC:\Windows\system32\Bkdclgpl.exe34⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Bmcpfj32.exeC:\Windows\system32\Bmcpfj32.exe35⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bfldopno.exeC:\Windows\system32\Bfldopno.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Cjnjhcqo.exeC:\Windows\system32\Cjnjhcqo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Cahbem32.exeC:\Windows\system32\Cahbem32.exe38⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe39⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Cnnpdaeb.exeC:\Windows\system32\Cnnpdaeb.exe40⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Cpolli32.exeC:\Windows\system32\Cpolli32.exe41⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Cijmjn32.exeC:\Windows\system32\Cijmjn32.exe42⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Cpdeghgk.exeC:\Windows\system32\Cpdeghgk.exe43⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe44⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Dpfblh32.exeC:\Windows\system32\Dpfblh32.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ddkdkk32.exeC:\Windows\system32\Ddkdkk32.exe46⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Dkelhemb.exeC:\Windows\system32\Dkelhemb.exe47⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Eobenc32.exeC:\Windows\system32\Eobenc32.exe48⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Edpnfjap.exeC:\Windows\system32\Edpnfjap.exe49⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ekifcd32.exeC:\Windows\system32\Ekifcd32.exe50⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Eacnpoqi.exeC:\Windows\system32\Eacnpoqi.exe51⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Edbjljpm.exeC:\Windows\system32\Edbjljpm.exe52⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Eklbid32.exeC:\Windows\system32\Eklbid32.exe53⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ephkak32.exeC:\Windows\system32\Ephkak32.exe54⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Eonhbg32.exeC:\Windows\system32\Eonhbg32.exe56⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ehfmkmqj.exeC:\Windows\system32\Ehfmkmqj.exe57⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Eopehg32.exeC:\Windows\system32\Eopehg32.exe58⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe59⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe60⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Fdojendk.exeC:\Windows\system32\Fdojendk.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Flfbfken.exeC:\Windows\system32\Flfbfken.exe62⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Foencfda.exeC:\Windows\system32\Foencfda.exe63⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Fhmblljb.exeC:\Windows\system32\Fhmblljb.exe65⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fnjkdcii.exeC:\Windows\system32\Fnjkdcii.exe66⤵PID:1616
-
C:\Windows\SysWOW64\Fhpoalho.exeC:\Windows\system32\Fhpoalho.exe67⤵PID:1016
-
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe68⤵PID:2036
-
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe69⤵PID:668
-
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe70⤵PID:812
-
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe71⤵PID:696
-
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe73⤵PID:2120
-
C:\Windows\SysWOW64\Gcnjmi32.exeC:\Windows\system32\Gcnjmi32.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Gflfidpl.exeC:\Windows\system32\Gflfidpl.exe75⤵PID:2692
-
C:\Windows\SysWOW64\Gmfnen32.exeC:\Windows\system32\Gmfnen32.exe76⤵PID:2788
-
C:\Windows\SysWOW64\Gjjoob32.exeC:\Windows\system32\Gjjoob32.exe77⤵PID:2620
-
C:\Windows\SysWOW64\Gogggi32.exeC:\Windows\system32\Gogggi32.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe79⤵PID:2156
-
C:\Windows\SysWOW64\Goidmibg.exeC:\Windows\system32\Goidmibg.exe80⤵PID:2424
-
C:\Windows\SysWOW64\Gfclic32.exeC:\Windows\system32\Gfclic32.exe81⤵PID:2852
-
C:\Windows\SysWOW64\Hkpdbj32.exeC:\Windows\system32\Hkpdbj32.exe82⤵PID:2912
-
C:\Windows\SysWOW64\Hjeacf32.exeC:\Windows\system32\Hjeacf32.exe83⤵PID:1620
-
C:\Windows\SysWOW64\Hcnfllcd.exeC:\Windows\system32\Hcnfllcd.exe84⤵PID:2312
-
C:\Windows\SysWOW64\Hncjiecj.exeC:\Windows\system32\Hncjiecj.exe85⤵PID:2116
-
C:\Windows\SysWOW64\Hcpbalaa.exeC:\Windows\system32\Hcpbalaa.exe86⤵PID:2200
-
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe87⤵PID:2016
-
C:\Windows\SysWOW64\Hcbogk32.exeC:\Windows\system32\Hcbogk32.exe88⤵PID:3024
-
C:\Windows\SysWOW64\Hiohob32.exeC:\Windows\system32\Hiohob32.exe89⤵PID:1032
-
C:\Windows\SysWOW64\Ipipllec.exeC:\Windows\system32\Ipipllec.exe90⤵PID:840
-
C:\Windows\SysWOW64\Iiaddb32.exeC:\Windows\system32\Iiaddb32.exe91⤵PID:2880
-
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe92⤵PID:2580
-
C:\Windows\SysWOW64\Ifeenfjm.exeC:\Windows\system32\Ifeenfjm.exe93⤵PID:1728
-
C:\Windows\SysWOW64\Imomkp32.exeC:\Windows\system32\Imomkp32.exe94⤵PID:2416
-
C:\Windows\SysWOW64\Iblfcg32.exeC:\Windows\system32\Iblfcg32.exe95⤵PID:1536
-
C:\Windows\SysWOW64\Ihinkn32.exeC:\Windows\system32\Ihinkn32.exe96⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Incfhh32.exeC:\Windows\system32\Incfhh32.exe97⤵PID:972
-
C:\Windows\SysWOW64\Iemoebmb.exeC:\Windows\system32\Iemoebmb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Ipbcbkmh.exeC:\Windows\system32\Ipbcbkmh.exe99⤵PID:1784
-
C:\Windows\SysWOW64\Ilicgl32.exeC:\Windows\system32\Ilicgl32.exe100⤵PID:1368
-
C:\Windows\SysWOW64\Jaflocqd.exeC:\Windows\system32\Jaflocqd.exe101⤵PID:2460
-
C:\Windows\SysWOW64\Jhpdlm32.exeC:\Windows\system32\Jhpdlm32.exe102⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Jojmigpn.exeC:\Windows\system32\Jojmigpn.exe103⤵PID:2280
-
C:\Windows\SysWOW64\Jdgeanne.exeC:\Windows\system32\Jdgeanne.exe104⤵PID:1612
-
C:\Windows\SysWOW64\Jkqmnh32.exeC:\Windows\system32\Jkqmnh32.exe105⤵PID:2984
-
C:\Windows\SysWOW64\Jakejb32.exeC:\Windows\system32\Jakejb32.exe106⤵PID:2596
-
C:\Windows\SysWOW64\Jhengldk.exeC:\Windows\system32\Jhengldk.exe107⤵PID:1816
-
C:\Windows\SysWOW64\Jmafocbb.exeC:\Windows\system32\Jmafocbb.exe108⤵PID:2472
-
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe109⤵PID:2812
-
C:\Windows\SysWOW64\Jkegigal.exeC:\Windows\system32\Jkegigal.exe110⤵PID:956
-
C:\Windows\SysWOW64\Jmdcecpp.exeC:\Windows\system32\Jmdcecpp.exe111⤵PID:1848
-
C:\Windows\SysWOW64\Jdnkamhm.exeC:\Windows\system32\Jdnkamhm.exe112⤵PID:1284
-
C:\Windows\SysWOW64\Keohie32.exeC:\Windows\system32\Keohie32.exe113⤵PID:2356
-
C:\Windows\SysWOW64\Kpdlfn32.exeC:\Windows\system32\Kpdlfn32.exe114⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Keadoe32.exeC:\Windows\system32\Keadoe32.exe115⤵PID:1852
-
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe116⤵PID:552
-
C:\Windows\SysWOW64\Kedaddif.exeC:\Windows\system32\Kedaddif.exe117⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Klniao32.exeC:\Windows\system32\Klniao32.exe118⤵PID:2656
-
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe119⤵PID:2844
-
C:\Windows\SysWOW64\Khdjfpfg.exeC:\Windows\system32\Khdjfpfg.exe120⤵PID:2824
-
C:\Windows\SysWOW64\Knabngen.exeC:\Windows\system32\Knabngen.exe121⤵PID:576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-