Analysis
-
max time kernel
133s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-08-2024 22:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe
-
Size
664KB
-
MD5
34594db7fff15f8fa67556218b44e122
-
SHA1
484640db36386c413206c967697d90426b0d269e
-
SHA256
64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9
-
SHA512
699288c89719ee65164fda0e97dae73efc92849669c6dc5e6c37e4aa46deb5b50e5e731625a3bb6d1d1ed8d37430d32d52fd5e8d2f8f32780ad2d7635b95ca38
-
SSDEEP
12288:cuQnAc3pV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYx:TQnAwW4XWleKWNUir2MhNl6zX3w9As/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmocpbbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlpllpoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldpdhmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkahjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkmjbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkffl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaohila.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaddaecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afgoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hakmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofibcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmjmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfdfhgko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oicidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaljhdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibobhgno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekodj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnbeclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpgimbmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amojnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egoaiqjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjacnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiamnlhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccbnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqdjof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhjcgccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gafelnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiijladb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hemggm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgiodb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agioab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjalch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbegkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pocmhnlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnijocj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcekjkli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aehanfgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enliccgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibcfaefk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcjldbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlpjhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlcpqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihiogb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Copjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hglobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaejfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nklmdcfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgmhknih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cefpmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdedkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjopoifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhjkm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2064 Aoilcc32.exe 2204 Bnfodojp.exe 2912 Cgcmiclk.exe 2800 Cdbqflae.exe 2668 Dcijmhdj.exe 2528 Ebhjdc32.exe 1892 Fmhaep32.exe 2380 Gifhkpgk.exe 2044 Glgqlkdl.exe 2680 Gklnmgic.exe 2976 Gaibpa32.exe 108 Glbcpokl.exe 2000 Hldpfnij.exe 2392 Hoeigi32.exe 2440 Hccbnhla.exe 1092 Hojbbiae.exe 1648 Iogbllfc.exe 2184 Jibcja32.exe 2268 Joohmk32.exe 792 Jboanfmm.exe 804 Jepjpajn.exe 1976 Jjmchhhe.exe 1172 Kaihjbno.exe 984 Kjalch32.exe 1032 Kfhmhi32.exe 1708 Kemjieol.exe 3044 Kfmfchfo.exe 2768 Lpekln32.exe 2784 Lbfdnijp.exe 2840 Lkahbkgk.exe 2096 Ldjmkq32.exe 2744 Lhgeao32.exe 1924 Mkhocj32.exe 1900 Mgoohk32.exe 3008 Mgalnk32.exe 2860 Momqbm32.exe 2832 Mlqakaqi.exe 2388 Mdlfpcnd.exe 2160 Ndnbeclb.exe 2836 Npecjdaf.exe 620 Ncellpog.exe 1224 Ndeifbfj.exe 1712 Nlpmjdce.exe 520 Ofibcj32.exe 1780 Ocmbmnio.exe 1600 Okhgaqfj.exe 2804 Oilgje32.exe 2868 Ofphdi32.exe 2996 Okmqlp32.exe 2692 Ogcaaahi.exe 1592 Pjdjbl32.exe 2344 Pfkkhmjn.exe 2812 Pcokaa32.exe 1744 Ppelfbol.exe 1664 Pllmkcdp.exe 1116 Qmlief32.exe 2608 Qibjjgag.exe 2136 Qnpbbn32.exe 912 Anbohn32.exe 452 Amglij32.exe 1728 Apheke32.exe 1556 Adenqd32.exe 2764 Biecoj32.exe 2896 Cgfcabeh.exe -
Loads dropped DLL 64 IoCs
pid Process 2224 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe 2224 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe 2064 Aoilcc32.exe 2064 Aoilcc32.exe 2204 Bnfodojp.exe 2204 Bnfodojp.exe 2912 Cgcmiclk.exe 2912 Cgcmiclk.exe 2800 Cdbqflae.exe 2800 Cdbqflae.exe 2668 Dcijmhdj.exe 2668 Dcijmhdj.exe 2528 Ebhjdc32.exe 2528 Ebhjdc32.exe 1892 Fmhaep32.exe 1892 Fmhaep32.exe 2380 Gifhkpgk.exe 2380 Gifhkpgk.exe 2044 Glgqlkdl.exe 2044 Glgqlkdl.exe 2680 Gklnmgic.exe 2680 Gklnmgic.exe 2976 Gaibpa32.exe 2976 Gaibpa32.exe 108 Glbcpokl.exe 108 Glbcpokl.exe 2000 Hldpfnij.exe 2000 Hldpfnij.exe 2392 Hoeigi32.exe 2392 Hoeigi32.exe 2440 Hccbnhla.exe 2440 Hccbnhla.exe 1092 Hojbbiae.exe 1092 Hojbbiae.exe 1648 Iogbllfc.exe 1648 Iogbllfc.exe 2184 Jibcja32.exe 2184 Jibcja32.exe 2268 Joohmk32.exe 2268 Joohmk32.exe 792 Jboanfmm.exe 792 Jboanfmm.exe 804 Jepjpajn.exe 804 Jepjpajn.exe 1976 Jjmchhhe.exe 1976 Jjmchhhe.exe 1172 Kaihjbno.exe 1172 Kaihjbno.exe 984 Kjalch32.exe 984 Kjalch32.exe 1032 Kfhmhi32.exe 1032 Kfhmhi32.exe 1708 Kemjieol.exe 1708 Kemjieol.exe 3044 Kfmfchfo.exe 3044 Kfmfchfo.exe 2768 Lpekln32.exe 2768 Lpekln32.exe 2784 Lbfdnijp.exe 2784 Lbfdnijp.exe 2840 Lkahbkgk.exe 2840 Lkahbkgk.exe 2096 Ldjmkq32.exe 2096 Ldjmkq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oceoec32.dll Oiebej32.exe File created C:\Windows\SysWOW64\Alemjfpc.exe Adjhfcbh.exe File created C:\Windows\SysWOW64\Pcchoj32.exe Omipbpfl.exe File created C:\Windows\SysWOW64\Jhnmkopa.dll Piojmj32.exe File opened for modification C:\Windows\SysWOW64\Egnknj32.exe Enffedpn.exe File opened for modification C:\Windows\SysWOW64\Mganhpgj.exe Mbohomdk.exe File created C:\Windows\SysWOW64\Ildmebbg.dll Lhnlqjha.exe File created C:\Windows\SysWOW64\Nedmil32.dll Dcgppana.exe File created C:\Windows\SysWOW64\Pljddaed.exe Opcdopop.exe File opened for modification C:\Windows\SysWOW64\Mpaado32.exe Mcmpkj32.exe File created C:\Windows\SysWOW64\Bbegkn32.exe Blkoocfl.exe File created C:\Windows\SysWOW64\Gfihjm32.dll Pkjkdfjk.exe File opened for modification C:\Windows\SysWOW64\Afgoem32.exe Qkpnbdaf.exe File created C:\Windows\SysWOW64\Glpnkecp.dll Acjllqke.exe File created C:\Windows\SysWOW64\Iachom32.exe Imepio32.exe File created C:\Windows\SysWOW64\Mofnek32.exe Mpaado32.exe File created C:\Windows\SysWOW64\Limogpna.exe Ldpfoipj.exe File created C:\Windows\SysWOW64\Pciflkhk.exe Peeebfib.exe File opened for modification C:\Windows\SysWOW64\Oilgje32.exe Okhgaqfj.exe File created C:\Windows\SysWOW64\Kjpafanf.exe Kqgmnk32.exe File created C:\Windows\SysWOW64\Qgmhknih.exe Qkfgfm32.exe File opened for modification C:\Windows\SysWOW64\Ajhmffin.exe Aggddk32.exe File created C:\Windows\SysWOW64\Kjeinc32.dll Nlejhmge.exe File created C:\Windows\SysWOW64\Njmnmahk.dll Hodbopmq.exe File created C:\Windows\SysWOW64\Kjdfge32.dll Kgeogaeo.exe File created C:\Windows\SysWOW64\Jdfqlagp.dll Cgbhibkd.exe File opened for modification C:\Windows\SysWOW64\Fjlogk32.exe Fqdjof32.exe File opened for modification C:\Windows\SysWOW64\Gfcpmlbj.exe Fjlogk32.exe File opened for modification C:\Windows\SysWOW64\Kjalch32.exe Kaihjbno.exe File created C:\Windows\SysWOW64\Beibln32.exe Aebllocg.exe File opened for modification C:\Windows\SysWOW64\Hfdfhgko.exe Hhpigjfg.exe File opened for modification C:\Windows\SysWOW64\Ljqcbjee.exe Lnjcni32.exe File opened for modification C:\Windows\SysWOW64\Momqbm32.exe Mgalnk32.exe File created C:\Windows\SysWOW64\Pelpab32.dll Njflci32.exe File opened for modification C:\Windows\SysWOW64\Aifpcfjd.exe Qjacai32.exe File created C:\Windows\SysWOW64\Nbmdcf32.dll Blkoocfl.exe File created C:\Windows\SysWOW64\Ebcfiddj.dll Nbmhfdnh.exe File created C:\Windows\SysWOW64\Epodll32.dll Igfkkh32.exe File opened for modification C:\Windows\SysWOW64\Lofafhck.exe Llhejldh.exe File created C:\Windows\SysWOW64\Ndgbohdn.dll Iogbllfc.exe File created C:\Windows\SysWOW64\Pikmob32.exe Pobhfl32.exe File created C:\Windows\SysWOW64\Pnabkgfb.exe Peinba32.exe File opened for modification C:\Windows\SysWOW64\Jjmchhhe.exe Jepjpajn.exe File created C:\Windows\SysWOW64\Ipkncf32.dll Qmlief32.exe File opened for modification C:\Windows\SysWOW64\Acdhen32.exe Ajlcmigj.exe File created C:\Windows\SysWOW64\Oqpbhobj.exe Onaflccf.exe File created C:\Windows\SysWOW64\Dmddbgkm.dll Cljemaem.exe File opened for modification C:\Windows\SysWOW64\Hckddoio.exe Gaeoaggf.exe File created C:\Windows\SysWOW64\Nlpllpoc.exe Mlkcqa32.exe File created C:\Windows\SysWOW64\Ndpjkb32.exe Naoaig32.exe File created C:\Windows\SysWOW64\Ieglfd32.exe Ijahik32.exe File opened for modification C:\Windows\SysWOW64\Jhbaam32.exe Jjnqhh32.exe File created C:\Windows\SysWOW64\Ihiogb32.exe Ilbobaoo.exe File created C:\Windows\SysWOW64\Mjcbabkf.exe Lgbiog32.exe File created C:\Windows\SysWOW64\Bblpofpf.exe Bmohgoao.exe File created C:\Windows\SysWOW64\Djhapcgl.exe Dgjedghh.exe File created C:\Windows\SysWOW64\Gafelnkb.exe Ghmach32.exe File created C:\Windows\SysWOW64\Ijpmdg32.dll Ddqinb32.exe File created C:\Windows\SysWOW64\Jdocad32.dll Fbpihafp.exe File opened for modification C:\Windows\SysWOW64\Pkjnmo32.exe Pocmhnlk.exe File opened for modification C:\Windows\SysWOW64\Dhcanahm.exe Dechlfkl.exe File created C:\Windows\SysWOW64\Jpqpdh32.dll Ddbegmqm.exe File opened for modification C:\Windows\SysWOW64\Fmjmml32.exe Feoihi32.exe File created C:\Windows\SysWOW64\Dlmponfo.dll Iibgmk32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpfoipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbooqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlcpqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkjoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmlgpeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdobag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daenhgfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqnbffkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcedfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioibde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgaoqdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmlojfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkmjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facjobce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifchhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcaaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dednil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmecbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijahik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idedbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affjehkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgbgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjacnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldlealk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npeaapmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhadob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcbabkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alemjfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enliccgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlppja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqknfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpamnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhapcgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbohomdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgchlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhaep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmkjlbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbmqmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdhjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpobfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmheai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhnackf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldbbbno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhagaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomdfjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpcjpek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkhhigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knldaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpliac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gloflk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnhlaoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlimkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdapb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joohmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeeam32.dll" Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ociooe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piojmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeopid32.dll" Qfqjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeommfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcgppana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbbnago.dll" Aolmgpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdodpk32.dll" Lkgoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgalnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eopbooqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfmlojfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnboj32.dll" Imblii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqhiicnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplbmnep.dll" Kdpgiipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlibhhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nldbbbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koaohila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelpab32.dll" Njflci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbkhikfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomhp32.dll" Dmdpjjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjacnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ingcfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjggnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnfkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kipafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnajci32.dll" Ddooqkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljkcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfamaphn.dll" Npeaapmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abamkn32.dll" Decmnhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkhiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpcicja.dll" Gcomafnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhcopiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkcqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkgpmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpjoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaaohfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpocioad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmblk32.dll" Bblpofpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajbkghbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkbdj32.dll" Knldaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apjdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llobhcnd.dll" Oqkimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdemoin.dll" Dkkdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbhfgaf.dll" Dnnijocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonmce32.dll" Hcgled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbpihafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoqnikmd.dll" Abcngkmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbpbokop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boekqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idhcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlfpf32.dll" Kbpbokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoigakm.dll" Mlbadj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ociooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnln32.dll" Hojeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jakjlpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cagpldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbgjj32.dll" Aikkgnnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eedjfchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edndehaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldgdlj32.dll" Fbodhpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbodhpdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmhaep32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2064 2224 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe 29 PID 2224 wrote to memory of 2064 2224 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe 29 PID 2224 wrote to memory of 2064 2224 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe 29 PID 2224 wrote to memory of 2064 2224 64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe 29 PID 2064 wrote to memory of 2204 2064 Aoilcc32.exe 30 PID 2064 wrote to memory of 2204 2064 Aoilcc32.exe 30 PID 2064 wrote to memory of 2204 2064 Aoilcc32.exe 30 PID 2064 wrote to memory of 2204 2064 Aoilcc32.exe 30 PID 2204 wrote to memory of 2912 2204 Bnfodojp.exe 31 PID 2204 wrote to memory of 2912 2204 Bnfodojp.exe 31 PID 2204 wrote to memory of 2912 2204 Bnfodojp.exe 31 PID 2204 wrote to memory of 2912 2204 Bnfodojp.exe 31 PID 2912 wrote to memory of 2800 2912 Cgcmiclk.exe 32 PID 2912 wrote to memory of 2800 2912 Cgcmiclk.exe 32 PID 2912 wrote to memory of 2800 2912 Cgcmiclk.exe 32 PID 2912 wrote to memory of 2800 2912 Cgcmiclk.exe 32 PID 2800 wrote to memory of 2668 2800 Cdbqflae.exe 33 PID 2800 wrote to memory of 2668 2800 Cdbqflae.exe 33 PID 2800 wrote to memory of 2668 2800 Cdbqflae.exe 33 PID 2800 wrote to memory of 2668 2800 Cdbqflae.exe 33 PID 2668 wrote to memory of 2528 2668 Dcijmhdj.exe 34 PID 2668 wrote to memory of 2528 2668 Dcijmhdj.exe 34 PID 2668 wrote to memory of 2528 2668 Dcijmhdj.exe 34 PID 2668 wrote to memory of 2528 2668 Dcijmhdj.exe 34 PID 2528 wrote to memory of 1892 2528 Ebhjdc32.exe 35 PID 2528 wrote to memory of 1892 2528 Ebhjdc32.exe 35 PID 2528 wrote to memory of 1892 2528 Ebhjdc32.exe 35 PID 2528 wrote to memory of 1892 2528 Ebhjdc32.exe 35 PID 1892 wrote to memory of 2380 1892 Fmhaep32.exe 36 PID 1892 wrote to memory of 2380 1892 Fmhaep32.exe 36 PID 1892 wrote to memory of 2380 1892 Fmhaep32.exe 36 PID 1892 wrote to memory of 2380 1892 Fmhaep32.exe 36 PID 2380 wrote to memory of 2044 2380 Gifhkpgk.exe 37 PID 2380 wrote to memory of 2044 2380 Gifhkpgk.exe 37 PID 2380 wrote to memory of 2044 2380 Gifhkpgk.exe 37 PID 2380 wrote to memory of 2044 2380 Gifhkpgk.exe 37 PID 2044 wrote to memory of 2680 2044 Glgqlkdl.exe 38 PID 2044 wrote to memory of 2680 2044 Glgqlkdl.exe 38 PID 2044 wrote to memory of 2680 2044 Glgqlkdl.exe 38 PID 2044 wrote to memory of 2680 2044 Glgqlkdl.exe 38 PID 2680 wrote to memory of 2976 2680 Gklnmgic.exe 39 PID 2680 wrote to memory of 2976 2680 Gklnmgic.exe 39 PID 2680 wrote to memory of 2976 2680 Gklnmgic.exe 39 PID 2680 wrote to memory of 2976 2680 Gklnmgic.exe 39 PID 2976 wrote to memory of 108 2976 Gaibpa32.exe 40 PID 2976 wrote to memory of 108 2976 Gaibpa32.exe 40 PID 2976 wrote to memory of 108 2976 Gaibpa32.exe 40 PID 2976 wrote to memory of 108 2976 Gaibpa32.exe 40 PID 108 wrote to memory of 2000 108 Glbcpokl.exe 41 PID 108 wrote to memory of 2000 108 Glbcpokl.exe 41 PID 108 wrote to memory of 2000 108 Glbcpokl.exe 41 PID 108 wrote to memory of 2000 108 Glbcpokl.exe 41 PID 2000 wrote to memory of 2392 2000 Hldpfnij.exe 42 PID 2000 wrote to memory of 2392 2000 Hldpfnij.exe 42 PID 2000 wrote to memory of 2392 2000 Hldpfnij.exe 42 PID 2000 wrote to memory of 2392 2000 Hldpfnij.exe 42 PID 2392 wrote to memory of 2440 2392 Hoeigi32.exe 43 PID 2392 wrote to memory of 2440 2392 Hoeigi32.exe 43 PID 2392 wrote to memory of 2440 2392 Hoeigi32.exe 43 PID 2392 wrote to memory of 2440 2392 Hoeigi32.exe 43 PID 2440 wrote to memory of 1092 2440 Hccbnhla.exe 44 PID 2440 wrote to memory of 1092 2440 Hccbnhla.exe 44 PID 2440 wrote to memory of 1092 2440 Hccbnhla.exe 44 PID 2440 wrote to memory of 1092 2440 Hccbnhla.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe"C:\Users\Admin\AppData\Local\Temp\64025db34cd9b5ae55a44f97fd1f6c8d23998a211b415520b70d07102fc798a9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Aoilcc32.exeC:\Windows\system32\Aoilcc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cgcmiclk.exeC:\Windows\system32\Cgcmiclk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Hldpfnij.exeC:\Windows\system32\Hldpfnij.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Jibcja32.exeC:\Windows\system32\Jibcja32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Jepjpajn.exeC:\Windows\system32\Jepjpajn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Kaihjbno.exeC:\Windows\system32\Kaihjbno.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Kfhmhi32.exeC:\Windows\system32\Kfhmhi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Kemjieol.exeC:\Windows\system32\Kemjieol.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Ldjmkq32.exeC:\Windows\system32\Ldjmkq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe33⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe34⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe35⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe38⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe39⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe41⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe42⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe43⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe44⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Ocmbmnio.exeC:\Windows\system32\Ocmbmnio.exe46⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe48⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe49⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe50⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe52⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe53⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe54⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe55⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe56⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe58⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe59⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe60⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe61⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe62⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe63⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe64⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe65⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe66⤵PID:2624
-
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe67⤵PID:2144
-
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe68⤵PID:2980
-
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe69⤵PID:740
-
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe70⤵PID:2972
-
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe71⤵PID:1724
-
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe72⤵PID:1584
-
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe74⤵PID:1692
-
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe75⤵PID:296
-
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe76⤵PID:2356
-
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe77⤵PID:1688
-
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe78⤵PID:112
-
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe79⤵PID:1076
-
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe80⤵PID:2520
-
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe81⤵PID:2952
-
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe82⤵PID:2932
-
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe83⤵PID:2124
-
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe84⤵PID:2280
-
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe85⤵PID:2272
-
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe86⤵PID:2600
-
C:\Windows\SysWOW64\Iegaha32.exeC:\Windows\system32\Iegaha32.exe87⤵PID:3036
-
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe88⤵PID:2324
-
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe89⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe90⤵PID:2808
-
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe91⤵PID:684
-
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe92⤵PID:3056
-
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe93⤵PID:2408
-
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe94⤵PID:1208
-
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe95⤵PID:672
-
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe96⤵PID:1716
-
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe98⤵PID:1680
-
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe99⤵PID:468
-
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe100⤵PID:1992
-
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe101⤵PID:2916
-
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe102⤵PID:2348
-
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe103⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe104⤵PID:2828
-
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe105⤵PID:2332
-
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe106⤵PID:1196
-
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe108⤵PID:2500
-
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe109⤵PID:1444
-
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe110⤵PID:1036
-
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe111⤵PID:2636
-
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe112⤵PID:1616
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe113⤵PID:1216
-
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe114⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe115⤵PID:2724
-
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe116⤵PID:908
-
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe117⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe118⤵PID:548
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe119⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe120⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe121⤵PID:1720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-