Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 05:25
Behavioral task
behavioral1
Sample
f2dee1395dcac34f0b3570389026fd00N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f2dee1395dcac34f0b3570389026fd00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
f2dee1395dcac34f0b3570389026fd00N.exe
-
Size
337KB
-
MD5
f2dee1395dcac34f0b3570389026fd00
-
SHA1
0daa6ca0e253f62b5fcec4647dbbcf4b3df1462f
-
SHA256
e3c41f573848b62c3bc500c5742e50f4a7cd38f3c4b1a91bafbc233018d33066
-
SHA512
b6097638b4fea367cc4629762142f95be71f657422105f481e087a6f716940a0f33b3eece0e675739a90862f19872188ccd37a8a931fbe677b1d86db42e406bf
-
SSDEEP
3072:KoCo1s2wIx7mgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:Kd5Gm1+fIyG5jZkCwi8r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcflko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljmlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koibpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombddbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogijnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aompambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injndk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipgifcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhkipdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laleof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgkcpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpobefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchdpbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdendpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqocoin.exe -
Executes dropped EXE 64 IoCs
pid Process 2148 Dbncjf32.exe 2556 Daacecfc.exe 2208 Dhkkbmnp.exe 2824 Dmjqpdje.exe 2476 Dgbeiiqe.exe 2344 Ddfebnoo.exe 2608 Dmojkc32.exe 2052 Epmfgo32.exe 704 Ecnoijbd.exe 1760 Egikjh32.exe 1576 Eeohkeoe.exe 1864 Ecbhdi32.exe 2392 Eeaepd32.exe 1920 Fkpjnkig.exe 3032 Fnofjfhk.exe 2416 Fggkcl32.exe 2936 Fjegog32.exe 3000 Fnacpffh.exe 2036 Fpoolael.exe 1808 Fcnkhmdp.exe 1740 Fgigil32.exe 1748 Fjhcegll.exe 1528 Fncpef32.exe 1040 Fqalaa32.exe 912 Fdmhbplb.exe 1580 Fgldnkkf.exe 2364 Fnflke32.exe 2704 Gkpfmnlb.exe 2604 Golbnm32.exe 2348 Gdhkfd32.exe 2780 Ghdgfbkl.exe 2352 Gfhgpg32.exe 2648 Gdkgkcpq.exe 580 Giipab32.exe 1184 Ggkqmoma.exe 832 Gepafc32.exe 268 Ggnmbn32.exe 2840 Hmkeke32.exe 1244 Hebnlb32.exe 2912 Hnjbeh32.exe 1632 Hahnac32.exe 1048 Hgbfnngi.exe 1500 Hidcef32.exe 2696 Hcigco32.exe 1764 Hmalldcn.exe 2436 Hfjpdjjo.exe 1984 Hihlqeib.exe 2200 Hbaaik32.exe 1768 Ieomef32.exe 2744 Ipeaco32.exe 2804 Inhanl32.exe 3052 Iimfld32.exe 2592 Illbhp32.exe 2764 Injndk32.exe 2088 Ibejdjln.exe 2892 Iedfqeka.exe 1316 Ihbcmaje.exe 1824 Inlkik32.exe 2220 Iakgefqe.exe 2996 Ihdpbq32.exe 636 Ijclol32.exe 948 Ioohokoo.exe 652 Imahkg32.exe 292 Idkpganf.exe -
Loads dropped DLL 64 IoCs
pid Process 2684 f2dee1395dcac34f0b3570389026fd00N.exe 2684 f2dee1395dcac34f0b3570389026fd00N.exe 2148 Dbncjf32.exe 2148 Dbncjf32.exe 2556 Daacecfc.exe 2556 Daacecfc.exe 2208 Dhkkbmnp.exe 2208 Dhkkbmnp.exe 2824 Dmjqpdje.exe 2824 Dmjqpdje.exe 2476 Dgbeiiqe.exe 2476 Dgbeiiqe.exe 2344 Ddfebnoo.exe 2344 Ddfebnoo.exe 2608 Dmojkc32.exe 2608 Dmojkc32.exe 2052 Epmfgo32.exe 2052 Epmfgo32.exe 704 Ecnoijbd.exe 704 Ecnoijbd.exe 1760 Egikjh32.exe 1760 Egikjh32.exe 1576 Eeohkeoe.exe 1576 Eeohkeoe.exe 1864 Ecbhdi32.exe 1864 Ecbhdi32.exe 2392 Eeaepd32.exe 2392 Eeaepd32.exe 1920 Fkpjnkig.exe 1920 Fkpjnkig.exe 3032 Fnofjfhk.exe 3032 Fnofjfhk.exe 2416 Fggkcl32.exe 2416 Fggkcl32.exe 2936 Fjegog32.exe 2936 Fjegog32.exe 3000 Fnacpffh.exe 3000 Fnacpffh.exe 2036 Fpoolael.exe 2036 Fpoolael.exe 1808 Fcnkhmdp.exe 1808 Fcnkhmdp.exe 1740 Fgigil32.exe 1740 Fgigil32.exe 1748 Fjhcegll.exe 1748 Fjhcegll.exe 1528 Fncpef32.exe 1528 Fncpef32.exe 1040 Fqalaa32.exe 1040 Fqalaa32.exe 912 Fdmhbplb.exe 912 Fdmhbplb.exe 1580 Fgldnkkf.exe 1580 Fgldnkkf.exe 2364 Fnflke32.exe 2364 Fnflke32.exe 2704 Gkpfmnlb.exe 2704 Gkpfmnlb.exe 2604 Golbnm32.exe 2604 Golbnm32.exe 2348 Gdhkfd32.exe 2348 Gdhkfd32.exe 2780 Ghdgfbkl.exe 2780 Ghdgfbkl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fijbco32.exe Fcqjfeja.exe File opened for modification C:\Windows\SysWOW64\Bplijcle.exe Bheaiekc.exe File created C:\Windows\SysWOW64\Jijacjnc.exe Jacibm32.exe File created C:\Windows\SysWOW64\Fdjcfm32.dll Process not Found File created C:\Windows\SysWOW64\Fefcmehe.exe Process not Found File created C:\Windows\SysWOW64\Nljpjc32.dll Process not Found File created C:\Windows\SysWOW64\Efedga32.exe Dhbdleol.exe File created C:\Windows\SysWOW64\Gjhjgq32.dll Process not Found File created C:\Windows\SysWOW64\Bdaabk32.exe Process not Found File created C:\Windows\SysWOW64\Djiqdb32.exe Dfmeccao.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Cjhabndo.exe File created C:\Windows\SysWOW64\Ghdjfq32.dll Colpld32.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Mpqjmh32.exe Process not Found File created C:\Windows\SysWOW64\Ppopja32.exe Palpneop.exe File created C:\Windows\SysWOW64\Fpemhb32.exe Process not Found File created C:\Windows\SysWOW64\Nphgph32.dll Jfofol32.exe File opened for modification C:\Windows\SysWOW64\Hcjilgdb.exe Hqkmplen.exe File created C:\Windows\SysWOW64\Aohgfm32.exe Apefjqob.exe File created C:\Windows\SysWOW64\Cmjjmp32.dll Djicmk32.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jkbaci32.exe File opened for modification C:\Windows\SysWOW64\Imbjcpnn.exe Ikqnlh32.exe File created C:\Windows\SysWOW64\Jjnjqb32.exe Jcdadhjb.exe File opened for modification C:\Windows\SysWOW64\Lpcoeb32.exe Lkggmldl.exe File opened for modification C:\Windows\SysWOW64\Nfigck32.exe Nggggoda.exe File opened for modification C:\Windows\SysWOW64\Fejfmk32.exe Fbkjap32.exe File opened for modification C:\Windows\SysWOW64\Ihpgce32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Kcecbq32.exe File created C:\Windows\SysWOW64\Mkidliln.dll Nqjaeeog.exe File created C:\Windows\SysWOW64\Keclgbfi.dll Gmhkin32.exe File created C:\Windows\SysWOW64\Peiejhfb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fibcoalf.exe Feggob32.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Gkebafoa.exe File created C:\Windows\SysWOW64\Doclpb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bfbjdf32.exe Process not Found File created C:\Windows\SysWOW64\Ekhmcelc.exe Ehjqgjmp.exe File created C:\Windows\SysWOW64\Iahghfmb.dll Hinbppna.exe File created C:\Windows\SysWOW64\Agpqch32.dll Lpqlemaj.exe File created C:\Windows\SysWOW64\Mghckj32.exe Mpnkopeh.exe File created C:\Windows\SysWOW64\Dabahf32.dll Mghckj32.exe File created C:\Windows\SysWOW64\Lfhiepbn.exe Process not Found File created C:\Windows\SysWOW64\Mclebc32.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Bljhgm32.dll Ekhmcelc.exe File created C:\Windows\SysWOW64\Jibnop32.exe Jnmiag32.exe File opened for modification C:\Windows\SysWOW64\Ndnmialh.exe Nbpqmfmd.exe File opened for modification C:\Windows\SysWOW64\Ompefj32.exe Oeindm32.exe File opened for modification C:\Windows\SysWOW64\Qoeamo32.exe Qhkipdeb.exe File opened for modification C:\Windows\SysWOW64\Fbimkpmm.exe Fmlecinf.exe File opened for modification C:\Windows\SysWOW64\Gekhgh32.exe Process not Found File created C:\Windows\SysWOW64\Afgnkilf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ibillk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fpdkpiik.exe Fijbco32.exe File created C:\Windows\SysWOW64\Jacibm32.exe Joblkegc.exe File created C:\Windows\SysWOW64\Ccqhdmbc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Llebnfpe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe Locjhqpa.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nameek32.exe File created C:\Windows\SysWOW64\Onmnmm32.dll Fibcoalf.exe File created C:\Windows\SysWOW64\Aaggak32.dll Igkhjdde.exe File created C:\Windows\SysWOW64\Mmmloaog.dll Process not Found File created C:\Windows\SysWOW64\Kjkfeo32.dll Mobfgdcl.exe File opened for modification C:\Windows\SysWOW64\Gmhkin32.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Gmlablaa.exe Gkmefaan.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilbocej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjhmipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clciod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkqdepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloiec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqodqodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlablaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmalldcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjhicpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olchjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgkhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhfdffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlecinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpnoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogofkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oielnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjcjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiqnakp.dll" Hjggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhooh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmmfimm.dll" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhklji32.dll" Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeghl32.dll" Kpafapbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmoammm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhiaka32.dll" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfmmcec.dll" Feggob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjfphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpfmo32.dll" Iejiodbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkoeoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfifeml.dll" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cqdfehii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnklgkap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emaijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpmned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll" Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fapgblob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daagjapn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdkpjd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkngi32.dll" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dniefn32.dll" Elgfkhpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggpokfi.dll" Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgiekfhg.dll" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnibcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjedgmpi.dll" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noohlkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llhmmh32.dll" Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbbhfld.dll" Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkidliln.dll" Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dblhmoio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2148 2684 f2dee1395dcac34f0b3570389026fd00N.exe 30 PID 2684 wrote to memory of 2148 2684 f2dee1395dcac34f0b3570389026fd00N.exe 30 PID 2684 wrote to memory of 2148 2684 f2dee1395dcac34f0b3570389026fd00N.exe 30 PID 2684 wrote to memory of 2148 2684 f2dee1395dcac34f0b3570389026fd00N.exe 30 PID 2148 wrote to memory of 2556 2148 Dbncjf32.exe 31 PID 2148 wrote to memory of 2556 2148 Dbncjf32.exe 31 PID 2148 wrote to memory of 2556 2148 Dbncjf32.exe 31 PID 2148 wrote to memory of 2556 2148 Dbncjf32.exe 31 PID 2556 wrote to memory of 2208 2556 Daacecfc.exe 32 PID 2556 wrote to memory of 2208 2556 Daacecfc.exe 32 PID 2556 wrote to memory of 2208 2556 Daacecfc.exe 32 PID 2556 wrote to memory of 2208 2556 Daacecfc.exe 32 PID 2208 wrote to memory of 2824 2208 Dhkkbmnp.exe 33 PID 2208 wrote to memory of 2824 2208 Dhkkbmnp.exe 33 PID 2208 wrote to memory of 2824 2208 Dhkkbmnp.exe 33 PID 2208 wrote to memory of 2824 2208 Dhkkbmnp.exe 33 PID 2824 wrote to memory of 2476 2824 Dmjqpdje.exe 34 PID 2824 wrote to memory of 2476 2824 Dmjqpdje.exe 34 PID 2824 wrote to memory of 2476 2824 Dmjqpdje.exe 34 PID 2824 wrote to memory of 2476 2824 Dmjqpdje.exe 34 PID 2476 wrote to memory of 2344 2476 Dgbeiiqe.exe 35 PID 2476 wrote to memory of 2344 2476 Dgbeiiqe.exe 35 PID 2476 wrote to memory of 2344 2476 Dgbeiiqe.exe 35 PID 2476 wrote to memory of 2344 2476 Dgbeiiqe.exe 35 PID 2344 wrote to memory of 2608 2344 Ddfebnoo.exe 36 PID 2344 wrote to memory of 2608 2344 Ddfebnoo.exe 36 PID 2344 wrote to memory of 2608 2344 Ddfebnoo.exe 36 PID 2344 wrote to memory of 2608 2344 Ddfebnoo.exe 36 PID 2608 wrote to memory of 2052 2608 Dmojkc32.exe 37 PID 2608 wrote to memory of 2052 2608 Dmojkc32.exe 37 PID 2608 wrote to memory of 2052 2608 Dmojkc32.exe 37 PID 2608 wrote to memory of 2052 2608 Dmojkc32.exe 37 PID 2052 wrote to memory of 704 2052 Epmfgo32.exe 38 PID 2052 wrote to memory of 704 2052 Epmfgo32.exe 38 PID 2052 wrote to memory of 704 2052 Epmfgo32.exe 38 PID 2052 wrote to memory of 704 2052 Epmfgo32.exe 38 PID 704 wrote to memory of 1760 704 Ecnoijbd.exe 39 PID 704 wrote to memory of 1760 704 Ecnoijbd.exe 39 PID 704 wrote to memory of 1760 704 Ecnoijbd.exe 39 PID 704 wrote to memory of 1760 704 Ecnoijbd.exe 39 PID 1760 wrote to memory of 1576 1760 Egikjh32.exe 40 PID 1760 wrote to memory of 1576 1760 Egikjh32.exe 40 PID 1760 wrote to memory of 1576 1760 Egikjh32.exe 40 PID 1760 wrote to memory of 1576 1760 Egikjh32.exe 40 PID 1576 wrote to memory of 1864 1576 Eeohkeoe.exe 41 PID 1576 wrote to memory of 1864 1576 Eeohkeoe.exe 41 PID 1576 wrote to memory of 1864 1576 Eeohkeoe.exe 41 PID 1576 wrote to memory of 1864 1576 Eeohkeoe.exe 41 PID 1864 wrote to memory of 2392 1864 Ecbhdi32.exe 42 PID 1864 wrote to memory of 2392 1864 Ecbhdi32.exe 42 PID 1864 wrote to memory of 2392 1864 Ecbhdi32.exe 42 PID 1864 wrote to memory of 2392 1864 Ecbhdi32.exe 42 PID 2392 wrote to memory of 1920 2392 Eeaepd32.exe 43 PID 2392 wrote to memory of 1920 2392 Eeaepd32.exe 43 PID 2392 wrote to memory of 1920 2392 Eeaepd32.exe 43 PID 2392 wrote to memory of 1920 2392 Eeaepd32.exe 43 PID 1920 wrote to memory of 3032 1920 Fkpjnkig.exe 44 PID 1920 wrote to memory of 3032 1920 Fkpjnkig.exe 44 PID 1920 wrote to memory of 3032 1920 Fkpjnkig.exe 44 PID 1920 wrote to memory of 3032 1920 Fkpjnkig.exe 44 PID 3032 wrote to memory of 2416 3032 Fnofjfhk.exe 45 PID 3032 wrote to memory of 2416 3032 Fnofjfhk.exe 45 PID 3032 wrote to memory of 2416 3032 Fnofjfhk.exe 45 PID 3032 wrote to memory of 2416 3032 Fnofjfhk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2dee1395dcac34f0b3570389026fd00N.exe"C:\Users\Admin\AppData\Local\Temp\f2dee1395dcac34f0b3570389026fd00N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe33⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe35⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe36⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe38⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe39⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe40⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe41⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe42⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe43⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe45⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe47⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe48⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe49⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe51⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe52⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe53⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe56⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe57⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe59⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe60⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe61⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe62⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe63⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe64⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe65⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe66⤵PID:1752
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe67⤵PID:2340
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe68⤵PID:1480
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe69⤵PID:2728
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe70⤵PID:3064
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe71⤵PID:544
-
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe72⤵PID:2388
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe73⤵PID:852
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe74⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe75⤵PID:2940
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe76⤵PID:1904
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe77⤵PID:2280
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe79⤵PID:2972
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe80⤵PID:2896
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe81⤵PID:2504
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe82⤵PID:2368
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe83⤵PID:1264
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe84⤵PID:2884
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe85⤵PID:2644
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe86⤵PID:676
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe87⤵PID:2868
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe88⤵PID:2024
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe89⤵PID:2040
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe90⤵PID:2068
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe91⤵PID:692
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe92⤵PID:2296
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe93⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe94⤵PID:1584
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe95⤵PID:1852
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe96⤵PID:2740
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe97⤵PID:2708
-
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe98⤵PID:556
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe99⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe101⤵PID:2956
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe103⤵PID:572
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe104⤵PID:2384
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe105⤵
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe106⤵PID:2676
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe107⤵PID:2320
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe108⤵PID:2828
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe109⤵PID:1036
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe111⤵PID:2156
-
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe112⤵PID:2252
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe113⤵PID:848
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe114⤵PID:1688
-
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe115⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe116⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe117⤵PID:2616
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe118⤵PID:2012
-
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe119⤵PID:1256
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe120⤵PID:2916
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe121⤵PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-