Analysis
-
max time kernel
110s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 16:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
14761e6f37337d70fd20e4bd4fbcc1f0N.exe
-
Size
96KB
-
MD5
14761e6f37337d70fd20e4bd4fbcc1f0
-
SHA1
8a2923bd4088132ffe7553cdcc06655a1e02e5eb
-
SHA256
08b9f8bb9e1c7964494064d4f85e1e851e26427ce4a6036d8061d598ce7b5262
-
SHA512
c130772d43e4d2a102058283b1ae20bcb23e519969aaf1cd1b927f9398a0126482102bd39342292264be45d3bb4021534d5eca288a447681d731b80460ddf742
-
SSDEEP
1536:/hK+EV9sUqsE0u7hJiFFEa5s2LusBMu/HCmiDcg3MZRP3cEW3AE:/GVm9sE0khI2a5lua6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfpljnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiocdand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geibin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lodbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqkellk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adoili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipfhbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palincli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ildjlmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikojfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfbnmckp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmogcpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhcda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkhfkco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faegda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdfpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nedfofig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjhlqbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikocggb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcpkmef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggkqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikahkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koobcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehanfgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdikch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadabljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Megmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljhojnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdckm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqkked32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiboedpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcohlce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopnma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbokop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjcaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbagjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjknfin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggcgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plkgkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajlidnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikojfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlackjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqkellk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpfbhof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikcjdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feblho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofoemm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpoeac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehcikg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omodibcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnnidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkbepop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjoecjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnpdbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2248 Kjngjj32.exe 2216 Kpgpfdoj.exe 2752 Kchhholk.exe 3056 Kckeno32.exe 2848 Kbpbokop.exe 2528 Lodbhp32.exe 2988 Lfpgkicd.exe 2088 Lgcqhagp.exe 1320 Lnnidk32.exe 1828 Mdjnge32.exe 1696 Mfngdmgb.exe 1036 Mpflmbnc.exe 1356 Mbgdonkd.exe 2916 Megmpi32.exe 3048 Nhhfbd32.exe 2816 Nbnkomel.exe 2100 Nmglpjak.exe 1860 Nmjhejph.exe 2356 Nmlekj32.exe 2320 Ofdicodf.exe 1928 Ofgfio32.exe 552 Oelcjkgk.exe 1984 Oodhca32.exe 2192 Okkhhb32.exe 1508 Pmlajm32.exe 1716 Pgdfbb32.exe 3028 Pmqkellk.exe 1608 Pdjcaf32.exe 2740 Pcppbc32.exe 2656 Peqidn32.exe 2720 Qlmnfh32.exe 2604 Adhbkj32.exe 2696 Akdgmd32.exe 1728 Ahhhgh32.exe 2068 Adoili32.exe 2472 Angmdoho.exe 1692 Anjjjn32.exe 2864 Bfeonq32.exe 2948 Bjcgdojn.exe 1548 Baeepm32.exe 2352 Cnlcoage.exe 2508 Cfggccdp.exe 2344 Cihqdoaa.exe 1284 Cbpendha.exe 1644 Clhifj32.exe 1636 Doibhekc.exe 236 Diofenki.exe 1764 Dbgknc32.exe 3024 Dhdcfj32.exe 2300 Dhfpljnn.exe 2724 Dophid32.exe 3064 Ddmaak32.exe 2744 Ekgineko.exe 2680 Ehkjgi32.exe 2840 Emhbop32.exe 2576 Ecdkgg32.exe 1816 Eiocdand.exe 2040 Elmoqlmh.exe 1128 Epkhfkco.exe 520 Eiclop32.exe 2912 Eopehg32.exe 1092 Fieiephm.exe 2164 Fkgemh32.exe 1568 Faanibeh.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 14761e6f37337d70fd20e4bd4fbcc1f0N.exe 1996 14761e6f37337d70fd20e4bd4fbcc1f0N.exe 2248 Kjngjj32.exe 2248 Kjngjj32.exe 2216 Kpgpfdoj.exe 2216 Kpgpfdoj.exe 2752 Kchhholk.exe 2752 Kchhholk.exe 3056 Kckeno32.exe 3056 Kckeno32.exe 2848 Kbpbokop.exe 2848 Kbpbokop.exe 2528 Lodbhp32.exe 2528 Lodbhp32.exe 2988 Lfpgkicd.exe 2988 Lfpgkicd.exe 2088 Lgcqhagp.exe 2088 Lgcqhagp.exe 1320 Lnnidk32.exe 1320 Lnnidk32.exe 1828 Mdjnge32.exe 1828 Mdjnge32.exe 1696 Mfngdmgb.exe 1696 Mfngdmgb.exe 1036 Mpflmbnc.exe 1036 Mpflmbnc.exe 1356 Mbgdonkd.exe 1356 Mbgdonkd.exe 2916 Megmpi32.exe 2916 Megmpi32.exe 3048 Nhhfbd32.exe 3048 Nhhfbd32.exe 2816 Nbnkomel.exe 2816 Nbnkomel.exe 2100 Nmglpjak.exe 2100 Nmglpjak.exe 1860 Nmjhejph.exe 1860 Nmjhejph.exe 2356 Nmlekj32.exe 2356 Nmlekj32.exe 2320 Ofdicodf.exe 2320 Ofdicodf.exe 1928 Ofgfio32.exe 1928 Ofgfio32.exe 552 Oelcjkgk.exe 552 Oelcjkgk.exe 1984 Oodhca32.exe 1984 Oodhca32.exe 2192 Okkhhb32.exe 2192 Okkhhb32.exe 1508 Pmlajm32.exe 1508 Pmlajm32.exe 1716 Pgdfbb32.exe 1716 Pgdfbb32.exe 3028 Pmqkellk.exe 3028 Pmqkellk.exe 1608 Pdjcaf32.exe 1608 Pdjcaf32.exe 2740 Pcppbc32.exe 2740 Pcppbc32.exe 2656 Peqidn32.exe 2656 Peqidn32.exe 2720 Qlmnfh32.exe 2720 Qlmnfh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fopnma32.exe Eheeqgmn.exe File created C:\Windows\SysWOW64\Oppmkm32.exe Ofghbgig.exe File created C:\Windows\SysWOW64\Lchqgahd.dll Angmdoho.exe File created C:\Windows\SysWOW64\Enfehe32.dll Hblidd32.exe File created C:\Windows\SysWOW64\Mqkked32.exe Mgcflnfp.exe File created C:\Windows\SysWOW64\Cnpnlc32.dll Nppgfp32.exe File opened for modification C:\Windows\SysWOW64\Pjgjmipf.exe Ppafopqq.exe File created C:\Windows\SysWOW64\Pbaakoab.dll Blaficqe.exe File opened for modification C:\Windows\SysWOW64\Cmdonf32.exe Cnoamj32.exe File opened for modification C:\Windows\SysWOW64\Kbpbokop.exe Kckeno32.exe File opened for modification C:\Windows\SysWOW64\Qhqklcof.exe Qpicjend.exe File created C:\Windows\SysWOW64\Aejncedk.exe Albijp32.exe File created C:\Windows\SysWOW64\Pmaiiooh.dll Foeqlo32.exe File created C:\Windows\SysWOW64\Lhcpkmef.exe Lnnkmdfq.exe File created C:\Windows\SysWOW64\Pfnjggme.dll Jifjod32.exe File created C:\Windows\SysWOW64\Mfcgle32.dll Jppbkoaf.exe File created C:\Windows\SysWOW64\Nmfnof32.dll Mgqigohb.exe File created C:\Windows\SysWOW64\Nljdcn32.dll Ncdckm32.exe File created C:\Windows\SysWOW64\Aqmoeb32.dll Akdgmd32.exe File created C:\Windows\SysWOW64\Nnjnbl32.exe Nfoinj32.exe File created C:\Windows\SysWOW64\Ipphaeim.dll Mokgqjaa.exe File opened for modification C:\Windows\SysWOW64\Pdjcaf32.exe Pmqkellk.exe File created C:\Windows\SysWOW64\Bjcgdojn.exe Bfeonq32.exe File created C:\Windows\SysWOW64\Kofbgc32.dll Nfjpcjhe.exe File created C:\Windows\SysWOW64\Ekdkil32.dll Cqeoegfb.exe File created C:\Windows\SysWOW64\Pjfndg32.dll Jedgnjon.exe File created C:\Windows\SysWOW64\Ldlfpf32.dll Kbpbokop.exe File opened for modification C:\Windows\SysWOW64\Hfkkmaol.exe Hqocej32.exe File created C:\Windows\SysWOW64\Ekhoehke.dll Njlnbg32.exe File created C:\Windows\SysWOW64\Aenkmf32.dll Lodbhp32.exe File created C:\Windows\SysWOW64\Faanibeh.exe Fkgemh32.exe File opened for modification C:\Windows\SysWOW64\Kefnjdgc.exe Kbchbi32.exe File created C:\Windows\SysWOW64\Gcmnaapo.dll Aohbaq32.exe File created C:\Windows\SysWOW64\Hmqjoljn.exe Hqjijk32.exe File created C:\Windows\SysWOW64\Gcnjmi32.exe Gmdapoil.exe File created C:\Windows\SysWOW64\Kqmbjkkh.dll Lonoamqo.exe File created C:\Windows\SysWOW64\Mngama32.dll Lnlohdhc.exe File created C:\Windows\SysWOW64\Aajhhgpg.exe Qhadob32.exe File created C:\Windows\SysWOW64\Qdnmpfdg.dll Jkjfpe32.exe File created C:\Windows\SysWOW64\Kpgpfdoj.exe Kjngjj32.exe File opened for modification C:\Windows\SysWOW64\Ipkmal32.exe Ijodiedi.exe File opened for modification C:\Windows\SysWOW64\Bkapla32.exe Bbilclhb.exe File created C:\Windows\SysWOW64\Kpjoel32.exe Kipfhbmo.exe File created C:\Windows\SysWOW64\Lnnkmdfq.exe Lgdcqj32.exe File created C:\Windows\SysWOW64\Alodkfoh.dll Ppafopqq.exe File created C:\Windows\SysWOW64\Gpeqpl32.dll Plhfda32.exe File created C:\Windows\SysWOW64\Aoeflamd.exe Afmack32.exe File created C:\Windows\SysWOW64\Egbgjake.dll Gpblof32.exe File opened for modification C:\Windows\SysWOW64\Diofenki.exe Doibhekc.exe File created C:\Windows\SysWOW64\Ccinpa32.exe Cgbmkp32.exe File created C:\Windows\SysWOW64\Megmpi32.exe Mbgdonkd.exe File opened for modification C:\Windows\SysWOW64\Pgdfbb32.exe Pmlajm32.exe File opened for modification C:\Windows\SysWOW64\Dbgknc32.exe Diofenki.exe File created C:\Windows\SysWOW64\Qpcgkfno.dll Koobcj32.exe File created C:\Windows\SysWOW64\Ediaia32.dll Bcnklm32.exe File created C:\Windows\SysWOW64\Hiekfdcb.dll Phiekdeo.exe File created C:\Windows\SysWOW64\Imjqibip.dll Afmack32.exe File created C:\Windows\SysWOW64\Dlmponfo.dll Iffggo32.exe File opened for modification C:\Windows\SysWOW64\Qhadob32.exe Qoipflcf.exe File created C:\Windows\SysWOW64\Ghpnihbo.exe Gpdide32.exe File created C:\Windows\SysWOW64\Iadabljk.exe Ikgijelc.exe File created C:\Windows\SysWOW64\Okkhhb32.exe Oodhca32.exe File created C:\Windows\SysWOW64\Mlpjfblj.dll Eopehg32.exe File created C:\Windows\SysWOW64\Fnqhce32.dll Niilofhh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4420 4412 WerFault.exe 371 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkepfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacojc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpbeaak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmkhlph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokgqjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojmigpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljafifbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohbaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnleahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpanffhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqocej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcgdojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfggccdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqdoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npeaapmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plnkkccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bciaqnje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnoamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejleamon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnkomel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikojfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofellh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdddpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcebfqbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgdonkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adoili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koobcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglfkebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palincli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheeqgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijinaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbcheka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albijp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmglpjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlajm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcdlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpglom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccinpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcbeagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojlfckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcejjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpncdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbeoggic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpgkicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonoamqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcanlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhcda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchhholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdjbcim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggkqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbnfmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfcmchla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfkkmaol.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjnbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cibpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlnam32.dll" Gdnojkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joblme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajldmna.dll" Laenccbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oioobo32.dll" Pdjcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgomej32.dll" Dcbpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhgml32.dll" Jjapfamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adggon32.dll" Cnlcoage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnjggme.dll" Jifjod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgllndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbilclhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafgcnhl.dll" Bjhjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fopnma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmhppk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ligliagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgnmlkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfoinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabmef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iachom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pajlidnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecdkgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plnkkccp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbcheka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjdbg32.dll" Eiabbicf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpblof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpjel32.dll" Mhippbem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjqibip.dll" Afmack32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoeflamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoipflcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggkqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkgemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipmdl32.dll" Cjmcnmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabblj32.dll" Ehcikg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icenedep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfngdmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonoamqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehobkikl.dll" Aoeflamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnejim32.dll" Aehanfgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiqmobf.dll" Albijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfloh32.dll" Jfdjbcim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaifbk32.dll" Mfbcheka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdikch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diofenki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhaepnp.dll" Fnhnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahieboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcopdgo.dll" Mlbokapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmogcpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifndbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpbpgch.dll" Qoipflcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 14761e6f37337d70fd20e4bd4fbcc1f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkapla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfepmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plkgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdddpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgdonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlmnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnlhibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddhknpg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2248 1996 14761e6f37337d70fd20e4bd4fbcc1f0N.exe 29 PID 1996 wrote to memory of 2248 1996 14761e6f37337d70fd20e4bd4fbcc1f0N.exe 29 PID 1996 wrote to memory of 2248 1996 14761e6f37337d70fd20e4bd4fbcc1f0N.exe 29 PID 1996 wrote to memory of 2248 1996 14761e6f37337d70fd20e4bd4fbcc1f0N.exe 29 PID 2248 wrote to memory of 2216 2248 Kjngjj32.exe 30 PID 2248 wrote to memory of 2216 2248 Kjngjj32.exe 30 PID 2248 wrote to memory of 2216 2248 Kjngjj32.exe 30 PID 2248 wrote to memory of 2216 2248 Kjngjj32.exe 30 PID 2216 wrote to memory of 2752 2216 Kpgpfdoj.exe 31 PID 2216 wrote to memory of 2752 2216 Kpgpfdoj.exe 31 PID 2216 wrote to memory of 2752 2216 Kpgpfdoj.exe 31 PID 2216 wrote to memory of 2752 2216 Kpgpfdoj.exe 31 PID 2752 wrote to memory of 3056 2752 Kchhholk.exe 32 PID 2752 wrote to memory of 3056 2752 Kchhholk.exe 32 PID 2752 wrote to memory of 3056 2752 Kchhholk.exe 32 PID 2752 wrote to memory of 3056 2752 Kchhholk.exe 32 PID 3056 wrote to memory of 2848 3056 Kckeno32.exe 33 PID 3056 wrote to memory of 2848 3056 Kckeno32.exe 33 PID 3056 wrote to memory of 2848 3056 Kckeno32.exe 33 PID 3056 wrote to memory of 2848 3056 Kckeno32.exe 33 PID 2848 wrote to memory of 2528 2848 Kbpbokop.exe 34 PID 2848 wrote to memory of 2528 2848 Kbpbokop.exe 34 PID 2848 wrote to memory of 2528 2848 Kbpbokop.exe 34 PID 2848 wrote to memory of 2528 2848 Kbpbokop.exe 34 PID 2528 wrote to memory of 2988 2528 Lodbhp32.exe 35 PID 2528 wrote to memory of 2988 2528 Lodbhp32.exe 35 PID 2528 wrote to memory of 2988 2528 Lodbhp32.exe 35 PID 2528 wrote to memory of 2988 2528 Lodbhp32.exe 35 PID 2988 wrote to memory of 2088 2988 Lfpgkicd.exe 36 PID 2988 wrote to memory of 2088 2988 Lfpgkicd.exe 36 PID 2988 wrote to memory of 2088 2988 Lfpgkicd.exe 36 PID 2988 wrote to memory of 2088 2988 Lfpgkicd.exe 36 PID 2088 wrote to memory of 1320 2088 Lgcqhagp.exe 37 PID 2088 wrote to memory of 1320 2088 Lgcqhagp.exe 37 PID 2088 wrote to memory of 1320 2088 Lgcqhagp.exe 37 PID 2088 wrote to memory of 1320 2088 Lgcqhagp.exe 37 PID 1320 wrote to memory of 1828 1320 Lnnidk32.exe 38 PID 1320 wrote to memory of 1828 1320 Lnnidk32.exe 38 PID 1320 wrote to memory of 1828 1320 Lnnidk32.exe 38 PID 1320 wrote to memory of 1828 1320 Lnnidk32.exe 38 PID 1828 wrote to memory of 1696 1828 Mdjnge32.exe 39 PID 1828 wrote to memory of 1696 1828 Mdjnge32.exe 39 PID 1828 wrote to memory of 1696 1828 Mdjnge32.exe 39 PID 1828 wrote to memory of 1696 1828 Mdjnge32.exe 39 PID 1696 wrote to memory of 1036 1696 Mfngdmgb.exe 40 PID 1696 wrote to memory of 1036 1696 Mfngdmgb.exe 40 PID 1696 wrote to memory of 1036 1696 Mfngdmgb.exe 40 PID 1696 wrote to memory of 1036 1696 Mfngdmgb.exe 40 PID 1036 wrote to memory of 1356 1036 Mpflmbnc.exe 41 PID 1036 wrote to memory of 1356 1036 Mpflmbnc.exe 41 PID 1036 wrote to memory of 1356 1036 Mpflmbnc.exe 41 PID 1036 wrote to memory of 1356 1036 Mpflmbnc.exe 41 PID 1356 wrote to memory of 2916 1356 Mbgdonkd.exe 42 PID 1356 wrote to memory of 2916 1356 Mbgdonkd.exe 42 PID 1356 wrote to memory of 2916 1356 Mbgdonkd.exe 42 PID 1356 wrote to memory of 2916 1356 Mbgdonkd.exe 42 PID 2916 wrote to memory of 3048 2916 Megmpi32.exe 43 PID 2916 wrote to memory of 3048 2916 Megmpi32.exe 43 PID 2916 wrote to memory of 3048 2916 Megmpi32.exe 43 PID 2916 wrote to memory of 3048 2916 Megmpi32.exe 43 PID 3048 wrote to memory of 2816 3048 Nhhfbd32.exe 44 PID 3048 wrote to memory of 2816 3048 Nhhfbd32.exe 44 PID 3048 wrote to memory of 2816 3048 Nhhfbd32.exe 44 PID 3048 wrote to memory of 2816 3048 Nhhfbd32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\14761e6f37337d70fd20e4bd4fbcc1f0N.exe"C:\Users\Admin\AppData\Local\Temp\14761e6f37337d70fd20e4bd4fbcc1f0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Kjngjj32.exeC:\Windows\system32\Kjngjj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Kpgpfdoj.exeC:\Windows\system32\Kpgpfdoj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Kchhholk.exeC:\Windows\system32\Kchhholk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Kckeno32.exeC:\Windows\system32\Kckeno32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Kbpbokop.exeC:\Windows\system32\Kbpbokop.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lodbhp32.exeC:\Windows\system32\Lodbhp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Lfpgkicd.exeC:\Windows\system32\Lfpgkicd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Lgcqhagp.exeC:\Windows\system32\Lgcqhagp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Lnnidk32.exeC:\Windows\system32\Lnnidk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Mdjnge32.exeC:\Windows\system32\Mdjnge32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Mfngdmgb.exeC:\Windows\system32\Mfngdmgb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Mpflmbnc.exeC:\Windows\system32\Mpflmbnc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Megmpi32.exeC:\Windows\system32\Megmpi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Nhhfbd32.exeC:\Windows\system32\Nhhfbd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Nbnkomel.exeC:\Windows\system32\Nbnkomel.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Nmglpjak.exeC:\Windows\system32\Nmglpjak.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Nmjhejph.exeC:\Windows\system32\Nmjhejph.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Nmlekj32.exeC:\Windows\system32\Nmlekj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Ofdicodf.exeC:\Windows\system32\Ofdicodf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ofgfio32.exeC:\Windows\system32\Ofgfio32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Oelcjkgk.exeC:\Windows\system32\Oelcjkgk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Pmlajm32.exeC:\Windows\system32\Pmlajm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Pmqkellk.exeC:\Windows\system32\Pmqkellk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Pcppbc32.exeC:\Windows\system32\Pcppbc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Peqidn32.exeC:\Windows\system32\Peqidn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Akdgmd32.exeC:\Windows\system32\Akdgmd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Ahhhgh32.exeC:\Windows\system32\Ahhhgh32.exe35⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Adoili32.exeC:\Windows\system32\Adoili32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe38⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Bfeonq32.exeC:\Windows\system32\Bfeonq32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Bjcgdojn.exeC:\Windows\system32\Bjcgdojn.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Baeepm32.exeC:\Windows\system32\Baeepm32.exe41⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Cnlcoage.exeC:\Windows\system32\Cnlcoage.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Cfggccdp.exeC:\Windows\system32\Cfggccdp.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Cihqdoaa.exeC:\Windows\system32\Cihqdoaa.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Cbpendha.exeC:\Windows\system32\Cbpendha.exe45⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Clhifj32.exeC:\Windows\system32\Clhifj32.exe46⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Diofenki.exeC:\Windows\system32\Diofenki.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Dbgknc32.exeC:\Windows\system32\Dbgknc32.exe49⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Dhdcfj32.exeC:\Windows\system32\Dhdcfj32.exe50⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dhfpljnn.exeC:\Windows\system32\Dhfpljnn.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Dophid32.exeC:\Windows\system32\Dophid32.exe52⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ddmaak32.exeC:\Windows\system32\Ddmaak32.exe53⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ekgineko.exeC:\Windows\system32\Ekgineko.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ehkjgi32.exeC:\Windows\system32\Ehkjgi32.exe55⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Emhbop32.exeC:\Windows\system32\Emhbop32.exe56⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ecdkgg32.exeC:\Windows\system32\Ecdkgg32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Eiocdand.exeC:\Windows\system32\Eiocdand.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Elmoqlmh.exeC:\Windows\system32\Elmoqlmh.exe59⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Epkhfkco.exeC:\Windows\system32\Epkhfkco.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Eiclop32.exeC:\Windows\system32\Eiclop32.exe61⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Eopehg32.exeC:\Windows\system32\Eopehg32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Fieiephm.exeC:\Windows\system32\Fieiephm.exe63⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Faanibeh.exeC:\Windows\system32\Faanibeh.exe65⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Fnhnnc32.exeC:\Windows\system32\Fnhnnc32.exe66⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Fgpcgi32.exeC:\Windows\system32\Fgpcgi32.exe67⤵PID:1852
-
C:\Windows\SysWOW64\Faegda32.exeC:\Windows\system32\Faegda32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe69⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Fnodob32.exeC:\Windows\system32\Fnodob32.exe71⤵PID:2484
-
C:\Windows\SysWOW64\Gckmgi32.exeC:\Windows\system32\Gckmgi32.exe72⤵PID:1612
-
C:\Windows\SysWOW64\Gmdapoil.exeC:\Windows\system32\Gmdapoil.exe73⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Gcnjmi32.exeC:\Windows\system32\Gcnjmi32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Ghkbepop.exeC:\Windows\system32\Ghkbepop.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Gcpfbhof.exeC:\Windows\system32\Gcpfbhof.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Gogggi32.exeC:\Windows\system32\Gogggi32.exe78⤵PID:908
-
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Goidmibg.exeC:\Windows\system32\Goidmibg.exe80⤵PID:2856
-
C:\Windows\SysWOW64\Hiahfo32.exeC:\Windows\system32\Hiahfo32.exe81⤵PID:2340
-
C:\Windows\SysWOW64\Hnoane32.exeC:\Windows\system32\Hnoane32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Hehikpol.exeC:\Windows\system32\Hehikpol.exe83⤵PID:2432
-
C:\Windows\SysWOW64\Hkbagjfi.exeC:\Windows\system32\Hkbagjfi.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Hblidd32.exeC:\Windows\system32\Hblidd32.exe85⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Hgiblk32.exeC:\Windows\system32\Hgiblk32.exe86⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Hmfjda32.exeC:\Windows\system32\Hmfjda32.exe87⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Hjjknfin.exeC:\Windows\system32\Hjjknfin.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Hpgcfmge.exeC:\Windows\system32\Hpgcfmge.exe89⤵PID:2128
-
C:\Windows\SysWOW64\Hjlhcegl.exeC:\Windows\system32\Hjlhcegl.exe90⤵PID:2552
-
C:\Windows\SysWOW64\Ipipllec.exeC:\Windows\system32\Ipipllec.exe91⤵PID:428
-
C:\Windows\SysWOW64\Ijodiedi.exeC:\Windows\system32\Ijodiedi.exe92⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe93⤵PID:1800
-
C:\Windows\SysWOW64\Ifeenfjm.exeC:\Windows\system32\Ifeenfjm.exe94⤵PID:2084
-
C:\Windows\SysWOW64\Ilbnfmhd.exeC:\Windows\system32\Ilbnfmhd.exe95⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Inqjbhhh.exeC:\Windows\system32\Inqjbhhh.exe96⤵PID:2632
-
C:\Windows\SysWOW64\Ildjlmfb.exeC:\Windows\system32\Ildjlmfb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Ifjoie32.exeC:\Windows\system32\Ifjoie32.exe98⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Ihkkanlf.exeC:\Windows\system32\Ihkkanlf.exe99⤵PID:324
-
C:\Windows\SysWOW64\Iacojc32.exeC:\Windows\system32\Iacojc32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Jjldbiig.exeC:\Windows\system32\Jjldbiig.exe101⤵PID:2480
-
C:\Windows\SysWOW64\Jddhknpg.exeC:\Windows\system32\Jddhknpg.exe102⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Jojmigpn.exeC:\Windows\system32\Jojmigpn.exe103⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Jahieboa.exeC:\Windows\system32\Jahieboa.exe104⤵
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Jolingnk.exeC:\Windows\system32\Jolingnk.exe105⤵PID:2968
-
C:\Windows\SysWOW64\Jhengldk.exeC:\Windows\system32\Jhengldk.exe106⤵PID:2868
-
C:\Windows\SysWOW64\Jifjod32.exeC:\Windows\system32\Jifjod32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe108⤵
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Jihgdd32.exeC:\Windows\system32\Jihgdd32.exe109⤵PID:2056
-
C:\Windows\SysWOW64\Kikcjdfd.exeC:\Windows\system32\Kikcjdfd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Kbchbi32.exeC:\Windows\system32\Kbchbi32.exe111⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Kefnjdgc.exeC:\Windows\system32\Kefnjdgc.exe112⤵PID:2000
-
C:\Windows\SysWOW64\Koobcj32.exeC:\Windows\system32\Koobcj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Koaohila.exeC:\Windows\system32\Koaohila.exe114⤵PID:1708
-
C:\Windows\SysWOW64\Lpdhea32.exeC:\Windows\system32\Lpdhea32.exe115⤵PID:2684
-
C:\Windows\SysWOW64\Lnhioeof.exeC:\Windows\system32\Lnhioeof.exe116⤵PID:860
-
C:\Windows\SysWOW64\Lceagmmn.exeC:\Windows\system32\Lceagmmn.exe117⤵PID:1188
-
C:\Windows\SysWOW64\Lfcmchla.exeC:\Windows\system32\Lfcmchla.exe118⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Lcgnmlkk.exeC:\Windows\system32\Lcgnmlkk.exe119⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ljafifbh.exeC:\Windows\system32\Ljafifbh.exe120⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Llpbeaak.exeC:\Windows\system32\Llpbeaak.exe121⤵
- System Location Discovery: System Language Discovery
PID:2296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-