Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 14:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
997e46976561af3e3abe24e5789d4d70N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
997e46976561af3e3abe24e5789d4d70N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
997e46976561af3e3abe24e5789d4d70N.exe
-
Size
78KB
-
MD5
997e46976561af3e3abe24e5789d4d70
-
SHA1
ff808eca11b91e8d43b6a9eab91f2480f81870a5
-
SHA256
5bd7129d3b84f997221ee514c8f88dc8de0d66375e7c8b08caa1515f8c956eae
-
SHA512
b0b07b52e77d21aff65b333bcba71af7248206a8dba2eed7c72af2e01b312c6cf202452edca77186ed8f91793e9cc693f54d5650ae22f9ec3e19a1459ea50afb
-
SSDEEP
1536:knBzlLJ0khaWEjeJauffytYiVGN+zL20gJi1ie:kBdJTOsfKtYiVGgzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiopah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebcdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfpilmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadnlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmpafnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkajgonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfiekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfobndnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocpjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjakg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcfjkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqlikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfncad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djemfibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cincaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkoeoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhboidoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbkaoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eponmmaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlkonpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klnpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdfhlggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpdcm32.exe -
Executes dropped EXE 64 IoCs
pid Process 664 Gofajcog.exe 2504 Ghnfci32.exe 2868 Gjnbmlmj.exe 2832 Gcfgfack.exe 2820 Goodpb32.exe 2704 Higiih32.exe 2612 Henjnica.exe 832 Hjplao32.exe 1764 Hpmdjf32.exe 2548 Ipameehe.exe 2620 Iijbnkne.exe 1164 Iaegbmlq.exe 2284 Jalmcl32.exe 2252 Jfiekc32.exe 2084 Jgmofbpk.exe 1228 Khcdijac.exe 432 Kaliaphd.exe 1712 Kkdnke32.exe 2604 Kgmkef32.exe 1940 Kpeonkig.exe 1652 Lcieef32.exe 1656 Lfingaaf.exe 860 Lbpolb32.exe 2356 Mhlcnl32.exe 2588 Mnilfc32.exe 2772 Mnneabff.exe 2304 Mcknjidn.exe 2764 Nqakim32.exe 2132 Nfncad32.exe 2660 Npfhjifm.exe 2796 Ojilqf32.exe 2720 Ophanl32.exe 996 Ojnelefl.exe 1104 Obijpgcf.exe 2032 Omonmpcm.exe 2120 Phhonn32.exe 1196 Pihlhagn.exe 2160 Peolmb32.exe 2280 Pogaeg32.exe 812 Pgbejj32.exe 668 Pahjgb32.exe 1820 Phabdmgq.exe 2312 Qdhcinme.exe 1600 Qnagbc32.exe 2044 Acnpjj32.exe 2520 Apapcnaf.exe 984 Alhaho32.exe 1808 Alknnodh.exe 464 Ahancp32.exe 2568 Ahdkhp32.exe 1560 Bdklnq32.exe 2880 Bjgdfg32.exe 2980 Bdmhcp32.exe 2940 Bjjakg32.exe 1720 Bfqaph32.exe 1132 Bfcnfh32.exe 1696 Bokcom32.exe 1168 Cicggcke.exe 2920 Ccileljk.exe 1144 Cbnhfhoc.exe 2104 Ckgmon32.exe 2992 Cngfqi32.exe 2332 Cgpjin32.exe 1388 Cmmcae32.exe -
Loads dropped DLL 64 IoCs
pid Process 2968 997e46976561af3e3abe24e5789d4d70N.exe 2968 997e46976561af3e3abe24e5789d4d70N.exe 664 Gofajcog.exe 664 Gofajcog.exe 2504 Ghnfci32.exe 2504 Ghnfci32.exe 2868 Gjnbmlmj.exe 2868 Gjnbmlmj.exe 2832 Gcfgfack.exe 2832 Gcfgfack.exe 2820 Goodpb32.exe 2820 Goodpb32.exe 2704 Higiih32.exe 2704 Higiih32.exe 2612 Henjnica.exe 2612 Henjnica.exe 832 Hjplao32.exe 832 Hjplao32.exe 1764 Hpmdjf32.exe 1764 Hpmdjf32.exe 2548 Ipameehe.exe 2548 Ipameehe.exe 2620 Iijbnkne.exe 2620 Iijbnkne.exe 1164 Iaegbmlq.exe 1164 Iaegbmlq.exe 2284 Jalmcl32.exe 2284 Jalmcl32.exe 2252 Jfiekc32.exe 2252 Jfiekc32.exe 2084 Jgmofbpk.exe 2084 Jgmofbpk.exe 1228 Khcdijac.exe 1228 Khcdijac.exe 432 Kaliaphd.exe 432 Kaliaphd.exe 1712 Kkdnke32.exe 1712 Kkdnke32.exe 2604 Kgmkef32.exe 2604 Kgmkef32.exe 1940 Kpeonkig.exe 1940 Kpeonkig.exe 1652 Lcieef32.exe 1652 Lcieef32.exe 1656 Lfingaaf.exe 1656 Lfingaaf.exe 860 Lbpolb32.exe 860 Lbpolb32.exe 2356 Mhlcnl32.exe 2356 Mhlcnl32.exe 2588 Mnilfc32.exe 2588 Mnilfc32.exe 2772 Mnneabff.exe 2772 Mnneabff.exe 2304 Mcknjidn.exe 2304 Mcknjidn.exe 2764 Nqakim32.exe 2764 Nqakim32.exe 2132 Nfncad32.exe 2132 Nfncad32.exe 2660 Npfhjifm.exe 2660 Npfhjifm.exe 2796 Ojilqf32.exe 2796 Ojilqf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ifpbfc32.dll Fldbnb32.exe File created C:\Windows\SysWOW64\Mkdfdn32.dll Eccdmmpk.exe File opened for modification C:\Windows\SysWOW64\Qnkdeagl.exe Qhnlmjie.exe File created C:\Windows\SysWOW64\Hpiaec32.dll Panboflg.exe File created C:\Windows\SysWOW64\Mcqcdbqp.dll Process not Found File created C:\Windows\SysWOW64\Nigefc32.dll Aalcdngp.exe File created C:\Windows\SysWOW64\Bpojmn32.dll Process not Found File created C:\Windows\SysWOW64\Jhjpekkf.exe Process not Found File created C:\Windows\SysWOW64\Jfiekc32.exe Jalmcl32.exe File opened for modification C:\Windows\SysWOW64\Ebnlba32.exe Ejbhno32.exe File created C:\Windows\SysWOW64\Jnlhbb32.exe Idcdjmao.exe File created C:\Windows\SysWOW64\Bloglgcc.dll Ffomjgoj.exe File opened for modification C:\Windows\SysWOW64\Omonmpcm.exe Obijpgcf.exe File created C:\Windows\SysWOW64\Hpfoekhm.exe Hgnjlfam.exe File created C:\Windows\SysWOW64\Legnoo32.dll Hnedfljc.exe File created C:\Windows\SysWOW64\Qdhcinme.exe Phabdmgq.exe File created C:\Windows\SysWOW64\Bokapipc.exe Process not Found File created C:\Windows\SysWOW64\Mmdigbbj.dll Ebpgoh32.exe File created C:\Windows\SysWOW64\Ajqoqm32.exe Abejlj32.exe File opened for modification C:\Windows\SysWOW64\Chkpakla.exe Cnekcblk.exe File opened for modification C:\Windows\SysWOW64\Qmoone32.exe Qcgkeonp.exe File opened for modification C:\Windows\SysWOW64\Nkfaqkcq.exe Process not Found File created C:\Windows\SysWOW64\Nbknjm32.exe Mfdmdlaj.exe File created C:\Windows\SysWOW64\Bboledln.dll Jollgl32.exe File created C:\Windows\SysWOW64\Qoggilne.dll Mcjihk32.exe File created C:\Windows\SysWOW64\Jjpehn32.exe Jojaje32.exe File opened for modification C:\Windows\SysWOW64\Kdoaackf.exe Kkglim32.exe File created C:\Windows\SysWOW64\Adcidm32.dll Jdnpck32.exe File created C:\Windows\SysWOW64\Iaqbih32.dll Ldedlfhl.exe File opened for modification C:\Windows\SysWOW64\Mfdklc32.exe Mfbnfcli.exe File opened for modification C:\Windows\SysWOW64\Danblfmk.exe Dlajdpoc.exe File opened for modification C:\Windows\SysWOW64\Mnakjaoc.exe Mhdcbjal.exe File created C:\Windows\SysWOW64\Aflmbj32.exe Algida32.exe File opened for modification C:\Windows\SysWOW64\Fmkpchmp.exe Fbflfomj.exe File opened for modification C:\Windows\SysWOW64\Pgklcaqi.exe Pigkjmap.exe File opened for modification C:\Windows\SysWOW64\Mgqigohb.exe Process not Found File created C:\Windows\SysWOW64\Knfail32.dll Process not Found File created C:\Windows\SysWOW64\Jbkicgjf.dll Mnakjaoc.exe File opened for modification C:\Windows\SysWOW64\Lkdmneoo.exe Lblhep32.exe File created C:\Windows\SysWOW64\Dhnahl32.exe Dmimkc32.exe File created C:\Windows\SysWOW64\Aejlqe32.dll Cjepib32.exe File opened for modification C:\Windows\SysWOW64\Bgedlbfj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgmkef32.exe Kkdnke32.exe File created C:\Windows\SysWOW64\Ieaekdkn.exe Ingmoj32.exe File created C:\Windows\SysWOW64\Ifajif32.exe Iogbllfc.exe File opened for modification C:\Windows\SysWOW64\Ipkkhckl.exe Iiablido.exe File created C:\Windows\SysWOW64\Pmdolc32.dll Cdphbm32.exe File created C:\Windows\SysWOW64\Alqfjdgq.dll Process not Found File created C:\Windows\SysWOW64\Lcieef32.exe Kpeonkig.exe File opened for modification C:\Windows\SysWOW64\Obilip32.exe Ojnhdn32.exe File opened for modification C:\Windows\SysWOW64\Epmcqf32.exe Ecfcle32.exe File created C:\Windows\SysWOW64\Bgaengmn.dll Ledpjdid.exe File created C:\Windows\SysWOW64\Kgibpg32.dll Process not Found File created C:\Windows\SysWOW64\Gfgfjhom.dll Process not Found File created C:\Windows\SysWOW64\Oihacbfh.exe Process not Found File created C:\Windows\SysWOW64\Jmifofko.dll Lklmoccl.exe File created C:\Windows\SysWOW64\Foinej32.dll Mgbcha32.exe File created C:\Windows\SysWOW64\Mcmnbbja.exe Lnpejklj.exe File opened for modification C:\Windows\SysWOW64\Ahcoli32.exe Qkpnbdaf.exe File created C:\Windows\SysWOW64\Bgkkdkae.dll Process not Found File created C:\Windows\SysWOW64\Pliooeco.dll Process not Found File created C:\Windows\SysWOW64\Hlalhe32.exe Process not Found File created C:\Windows\SysWOW64\Lcolpe32.exe Kfklgape.exe File opened for modification C:\Windows\SysWOW64\Nbmhfdnh.exe Niednn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linfpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biecoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncqlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 997e46976561af3e3abe24e5789d4d70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfflhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domgache.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmoone32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapcaocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeeeeehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllmkcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheljhof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmaaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmacqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajkjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqnfiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihinkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlaqba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijbnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkkhckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alfflhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjenb32.dll" Kldofi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heohnaao.dll" Hjhaob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqgkkj32.dll" Ffmnloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbqgnl32.dll" Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpgjob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljffe32.dll" Ahpdficc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolfao32.dll" Mqqolfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adggon32.dll" Cajokmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaqif32.dll" Cincaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpccnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmadag32.dll" Ehechn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkdpafo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofbgc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ookjbg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjcendg.dll" Kocodbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhack32.dll" Lkafib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aamekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmij32.dll" Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgbhe32.dll" Boohgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coofoghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjeah32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjifpdib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igeljknl.dll" Kmeknakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqpab32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lebcdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcebnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biecoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpdiifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclilliq.dll" Qgeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqjld32.dll" Hidjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhpqn32.dll" Gfobndnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pghklq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpehpm32.dll" Ehfmkmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfddfjmg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndbeeo.dll" Dkolblkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjlglao.dll" Nmkklflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnjlfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idjjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddfbf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 664 2968 997e46976561af3e3abe24e5789d4d70N.exe 29 PID 2968 wrote to memory of 664 2968 997e46976561af3e3abe24e5789d4d70N.exe 29 PID 2968 wrote to memory of 664 2968 997e46976561af3e3abe24e5789d4d70N.exe 29 PID 2968 wrote to memory of 664 2968 997e46976561af3e3abe24e5789d4d70N.exe 29 PID 664 wrote to memory of 2504 664 Gofajcog.exe 30 PID 664 wrote to memory of 2504 664 Gofajcog.exe 30 PID 664 wrote to memory of 2504 664 Gofajcog.exe 30 PID 664 wrote to memory of 2504 664 Gofajcog.exe 30 PID 2504 wrote to memory of 2868 2504 Ghnfci32.exe 31 PID 2504 wrote to memory of 2868 2504 Ghnfci32.exe 31 PID 2504 wrote to memory of 2868 2504 Ghnfci32.exe 31 PID 2504 wrote to memory of 2868 2504 Ghnfci32.exe 31 PID 2868 wrote to memory of 2832 2868 Gjnbmlmj.exe 32 PID 2868 wrote to memory of 2832 2868 Gjnbmlmj.exe 32 PID 2868 wrote to memory of 2832 2868 Gjnbmlmj.exe 32 PID 2868 wrote to memory of 2832 2868 Gjnbmlmj.exe 32 PID 2832 wrote to memory of 2820 2832 Gcfgfack.exe 33 PID 2832 wrote to memory of 2820 2832 Gcfgfack.exe 33 PID 2832 wrote to memory of 2820 2832 Gcfgfack.exe 33 PID 2832 wrote to memory of 2820 2832 Gcfgfack.exe 33 PID 2820 wrote to memory of 2704 2820 Goodpb32.exe 34 PID 2820 wrote to memory of 2704 2820 Goodpb32.exe 34 PID 2820 wrote to memory of 2704 2820 Goodpb32.exe 34 PID 2820 wrote to memory of 2704 2820 Goodpb32.exe 34 PID 2704 wrote to memory of 2612 2704 Higiih32.exe 35 PID 2704 wrote to memory of 2612 2704 Higiih32.exe 35 PID 2704 wrote to memory of 2612 2704 Higiih32.exe 35 PID 2704 wrote to memory of 2612 2704 Higiih32.exe 35 PID 2612 wrote to memory of 832 2612 Henjnica.exe 36 PID 2612 wrote to memory of 832 2612 Henjnica.exe 36 PID 2612 wrote to memory of 832 2612 Henjnica.exe 36 PID 2612 wrote to memory of 832 2612 Henjnica.exe 36 PID 832 wrote to memory of 1764 832 Hjplao32.exe 37 PID 832 wrote to memory of 1764 832 Hjplao32.exe 37 PID 832 wrote to memory of 1764 832 Hjplao32.exe 37 PID 832 wrote to memory of 1764 832 Hjplao32.exe 37 PID 1764 wrote to memory of 2548 1764 Hpmdjf32.exe 38 PID 1764 wrote to memory of 2548 1764 Hpmdjf32.exe 38 PID 1764 wrote to memory of 2548 1764 Hpmdjf32.exe 38 PID 1764 wrote to memory of 2548 1764 Hpmdjf32.exe 38 PID 2548 wrote to memory of 2620 2548 Ipameehe.exe 39 PID 2548 wrote to memory of 2620 2548 Ipameehe.exe 39 PID 2548 wrote to memory of 2620 2548 Ipameehe.exe 39 PID 2548 wrote to memory of 2620 2548 Ipameehe.exe 39 PID 2620 wrote to memory of 1164 2620 Iijbnkne.exe 40 PID 2620 wrote to memory of 1164 2620 Iijbnkne.exe 40 PID 2620 wrote to memory of 1164 2620 Iijbnkne.exe 40 PID 2620 wrote to memory of 1164 2620 Iijbnkne.exe 40 PID 1164 wrote to memory of 2284 1164 Iaegbmlq.exe 41 PID 1164 wrote to memory of 2284 1164 Iaegbmlq.exe 41 PID 1164 wrote to memory of 2284 1164 Iaegbmlq.exe 41 PID 1164 wrote to memory of 2284 1164 Iaegbmlq.exe 41 PID 2284 wrote to memory of 2252 2284 Jalmcl32.exe 42 PID 2284 wrote to memory of 2252 2284 Jalmcl32.exe 42 PID 2284 wrote to memory of 2252 2284 Jalmcl32.exe 42 PID 2284 wrote to memory of 2252 2284 Jalmcl32.exe 42 PID 2252 wrote to memory of 2084 2252 Jfiekc32.exe 43 PID 2252 wrote to memory of 2084 2252 Jfiekc32.exe 43 PID 2252 wrote to memory of 2084 2252 Jfiekc32.exe 43 PID 2252 wrote to memory of 2084 2252 Jfiekc32.exe 43 PID 2084 wrote to memory of 1228 2084 Jgmofbpk.exe 44 PID 2084 wrote to memory of 1228 2084 Jgmofbpk.exe 44 PID 2084 wrote to memory of 1228 2084 Jgmofbpk.exe 44 PID 2084 wrote to memory of 1228 2084 Jgmofbpk.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\997e46976561af3e3abe24e5789d4d70N.exe"C:\Users\Admin\AppData\Local\Temp\997e46976561af3e3abe24e5789d4d70N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Gjnbmlmj.exeC:\Windows\system32\Gjnbmlmj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:432 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe33⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe34⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe36⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe37⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe38⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe39⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe40⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe41⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe44⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe45⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe47⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe48⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe49⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe50⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe52⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe53⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe54⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bfqaph32.exeC:\Windows\system32\Bfqaph32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe57⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe58⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe59⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe60⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe61⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe62⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe63⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe64⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe65⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe66⤵PID:2552
-
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe67⤵PID:520
-
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe68⤵PID:1736
-
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe69⤵PID:2976
-
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe71⤵PID:1968
-
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe72⤵PID:2188
-
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe74⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe75⤵PID:2984
-
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe76⤵PID:2748
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe77⤵PID:2264
-
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe78⤵PID:2692
-
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe80⤵PID:1724
-
C:\Windows\SysWOW64\Fdbgia32.exeC:\Windows\system32\Fdbgia32.exe81⤵PID:1620
-
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe83⤵PID:3008
-
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe84⤵PID:1552
-
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe85⤵PID:1508
-
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe86⤵PID:2408
-
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe87⤵PID:836
-
C:\Windows\SysWOW64\Fldbnb32.exeC:\Windows\system32\Fldbnb32.exe88⤵
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe89⤵PID:2972
-
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe90⤵PID:2196
-
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe91⤵PID:2452
-
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe92⤵PID:2736
-
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe93⤵PID:2900
-
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe94⤵PID:2744
-
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe95⤵PID:1120
-
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe96⤵PID:2524
-
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe97⤵PID:2840
-
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe98⤵PID:736
-
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe99⤵PID:3012
-
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe100⤵PID:1036
-
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe101⤵PID:1928
-
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe102⤵PID:2208
-
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe103⤵PID:3020
-
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe104⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe105⤵PID:1780
-
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe106⤵PID:2564
-
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe107⤵PID:2724
-
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe108⤵PID:2824
-
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe110⤵PID:3052
-
C:\Windows\SysWOW64\Klbfbg32.exeC:\Windows\system32\Klbfbg32.exe111⤵PID:1776
-
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe112⤵PID:1084
-
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe113⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe114⤵PID:2192
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe115⤵PID:1640
-
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe116⤵PID:1500
-
C:\Windows\SysWOW64\Lklmoccl.exeC:\Windows\system32\Lklmoccl.exe117⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe118⤵PID:2096
-
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe120⤵PID:2148
-
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe121⤵
- Modifies registry class
PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-