Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 06:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81444e85ace5c0ee917a958779255fb0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
81444e85ace5c0ee917a958779255fb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
81444e85ace5c0ee917a958779255fb0N.exe
-
Size
379KB
-
MD5
81444e85ace5c0ee917a958779255fb0
-
SHA1
2265b98e140a9089cb06a45885cf7659799a9f35
-
SHA256
ac83c0bd64eeb2e63e430a54fa3adc81be577dea632c54d884ec3fa22bb1e4e8
-
SHA512
8babad64da4a32d7bf543f84d93ea3fcd7fc74b090fd3c15474720d8d18ff1f1b72bca7378deb52b55bfe540dc0c18199db86309091e739d829ebd16d8f989bb
-
SSDEEP
6144:1qSuPCVUH3ckli7O/0xLxli7O//yb1c3ccU0S6GyTgfiEkrE:1Z4CiHP6vxr6lGHaXyTg6EkrE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkedjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjmoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onamle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcblan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gminbfoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfagemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bomlppdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikldqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhhed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqpebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddbjhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnodgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Floeof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onamle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naimepkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penihe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clciod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmblnif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmddgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nommodjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehcij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjahakgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpdhifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epcddopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmqigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpefc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eanldqgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcblan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifjk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2416 Cgaaah32.exe 456 Ceebklai.exe 2864 Cmpgpond.exe 812 Ddaemh32.exe 2592 Eanldqgf.exe 2300 Einjdb32.exe 1760 Fhgppnan.exe 944 Fepjea32.exe 2896 Gqlhkofn.exe 2960 Gconbj32.exe 1136 Hfbcidmk.exe 2968 Hgflflqg.exe 2488 Ijkocg32.exe 2040 Iiqldc32.exe 2236 Ipmqgmcd.exe 976 Iieepbje.exe 1704 Jjkkbjln.exe 336 Joidhh32.exe 1056 Jdflqo32.exe 1912 Kdmban32.exe 612 Kmegjdad.exe 2348 Kilgoe32.exe 2304 Koipglep.exe 2516 Klmqapci.exe 464 Kajiigba.exe 1596 Lhfnkqgk.exe 2736 Ljigih32.exe 2832 Lcblan32.exe 2800 Lfbdci32.exe 2812 Mfeaiime.exe 2612 Momfan32.exe 2716 Mdmkoepk.exe 1208 Mhjcec32.exe 1184 Mbchni32.exe 2008 Ngpqfp32.exe 1412 Nbeedh32.exe 2016 Nknimnap.exe 2480 Njeccjcd.exe 2472 Nijpdfhm.exe 936 Ofnpnkgf.exe 1272 Obgnhkkh.exe 908 Ojbbmnhc.exe 2168 Omckoi32.exe 1692 Pnchhllf.exe 632 Pmhejhao.exe 2356 Pdbmfb32.exe 1664 Ppinkcnp.exe 1088 Pfbfhm32.exe 1936 Pehcij32.exe 2184 Paocnkph.exe 308 Qbnphngk.exe 2848 Qkielpdf.exe 2712 Agpeaa32.exe 2616 Anjnnk32.exe 2576 Aahfdihn.exe 2884 Alageg32.exe 2928 Aclpaali.exe 2020 Apppkekc.exe 1968 Afliclij.exe 2268 Bpbmqe32.exe 2364 Blinefnd.exe 1512 Bddbjhlp.exe 1688 Boifga32.exe 1940 Bgdkkc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 81444e85ace5c0ee917a958779255fb0N.exe 1960 81444e85ace5c0ee917a958779255fb0N.exe 2416 Cgaaah32.exe 2416 Cgaaah32.exe 456 Ceebklai.exe 456 Ceebklai.exe 2864 Cmpgpond.exe 2864 Cmpgpond.exe 812 Ddaemh32.exe 812 Ddaemh32.exe 2592 Eanldqgf.exe 2592 Eanldqgf.exe 2300 Einjdb32.exe 2300 Einjdb32.exe 1760 Fhgppnan.exe 1760 Fhgppnan.exe 944 Fepjea32.exe 944 Fepjea32.exe 2896 Gqlhkofn.exe 2896 Gqlhkofn.exe 2960 Gconbj32.exe 2960 Gconbj32.exe 1136 Hfbcidmk.exe 1136 Hfbcidmk.exe 2968 Hgflflqg.exe 2968 Hgflflqg.exe 2488 Ijkocg32.exe 2488 Ijkocg32.exe 2040 Iiqldc32.exe 2040 Iiqldc32.exe 2236 Ipmqgmcd.exe 2236 Ipmqgmcd.exe 976 Iieepbje.exe 976 Iieepbje.exe 1704 Jjkkbjln.exe 1704 Jjkkbjln.exe 336 Joidhh32.exe 336 Joidhh32.exe 1056 Jdflqo32.exe 1056 Jdflqo32.exe 1912 Kdmban32.exe 1912 Kdmban32.exe 612 Kmegjdad.exe 612 Kmegjdad.exe 2348 Kilgoe32.exe 2348 Kilgoe32.exe 2304 Koipglep.exe 2304 Koipglep.exe 2516 Klmqapci.exe 2516 Klmqapci.exe 464 Kajiigba.exe 464 Kajiigba.exe 1596 Lhfnkqgk.exe 1596 Lhfnkqgk.exe 2736 Ljigih32.exe 2736 Ljigih32.exe 2832 Lcblan32.exe 2832 Lcblan32.exe 2800 Lfbdci32.exe 2800 Lfbdci32.exe 2812 Mfeaiime.exe 2812 Mfeaiime.exe 2612 Momfan32.exe 2612 Momfan32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aeenapck.exe Amjiln32.exe File created C:\Windows\SysWOW64\Ohengmcf.exe Ofgbkacb.exe File created C:\Windows\SysWOW64\Igpfoieh.dll Ofgbkacb.exe File created C:\Windows\SysWOW64\Qaqlbmbn.exe Qjgcecja.exe File created C:\Windows\SysWOW64\Ljigih32.exe Lhfnkqgk.exe File created C:\Windows\SysWOW64\Oiahkhpo.dll Jgjkfi32.exe File opened for modification C:\Windows\SysWOW64\Ccmblnif.exe Clciod32.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Giaidnkf.exe File created C:\Windows\SysWOW64\Ahhaobfe.exe Anbmbi32.exe File created C:\Windows\SysWOW64\Mmgqao32.dll Lhimji32.exe File created C:\Windows\SysWOW64\Ehncceog.dll Bfgdmjlp.exe File created C:\Windows\SysWOW64\Fakmpf32.dll Epcddopf.exe File opened for modification C:\Windows\SysWOW64\Hgckoofa.exe Hpicbe32.exe File opened for modification C:\Windows\SysWOW64\Aocbokia.exe Aejnfe32.exe File created C:\Windows\SysWOW64\Dqgchlio.dll Gfoeel32.exe File opened for modification C:\Windows\SysWOW64\Ooofcg32.exe Ohengmcf.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe 81444e85ace5c0ee917a958779255fb0N.exe File created C:\Windows\SysWOW64\Jmdgipkk.exe Iclbpj32.exe File opened for modification C:\Windows\SysWOW64\Qboikm32.exe Pdjljpnc.exe File created C:\Windows\SysWOW64\Laaabo32.exe Lhimji32.exe File opened for modification C:\Windows\SysWOW64\Miocmq32.exe Llkbcl32.exe File created C:\Windows\SysWOW64\Fjaoplho.exe Fbfjkj32.exe File created C:\Windows\SysWOW64\Geindqkj.dll Ihnjmf32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Nncojg32.dll Hgflflqg.exe File opened for modification C:\Windows\SysWOW64\Pehcij32.exe Pfbfhm32.exe File created C:\Windows\SysWOW64\Ldknflmi.dll Pebbcdkn.exe File created C:\Windows\SysWOW64\Efoifiep.exe Epcddopf.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Cniajdkg.exe File opened for modification C:\Windows\SysWOW64\Jdflqo32.exe Joidhh32.exe File created C:\Windows\SysWOW64\Miglefjd.dll Blinefnd.exe File created C:\Windows\SysWOW64\Kjeglh32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Celpqbon.exe File opened for modification C:\Windows\SysWOW64\Iiqldc32.exe Ijkocg32.exe File created C:\Windows\SysWOW64\Pdmbdddn.dll Plhaeofp.exe File opened for modification C:\Windows\SysWOW64\Ecmjid32.exe Egfjdchi.exe File opened for modification C:\Windows\SysWOW64\Pjahakgb.exe Pdhpdq32.exe File created C:\Windows\SysWOW64\Gpmdcijc.dll Anbmbi32.exe File opened for modification C:\Windows\SysWOW64\Eelgcg32.exe Ecmjid32.exe File created C:\Windows\SysWOW64\Eqkjmcmq.exe Eddjhb32.exe File created C:\Windows\SysWOW64\Jgjmoace.exe Jqpebg32.exe File opened for modification C:\Windows\SysWOW64\Jqbbhg32.exe Jgjmoace.exe File created C:\Windows\SysWOW64\Kdmban32.exe Jdflqo32.exe File created C:\Windows\SysWOW64\Penihe32.exe Lhnmoo32.exe File created C:\Windows\SysWOW64\Ejdphkml.dll Mkgeehnl.exe File created C:\Windows\SysWOW64\Gfoeel32.exe Fmddgg32.exe File created C:\Windows\SysWOW64\Enjqlaec.dll Mhalngad.exe File opened for modification C:\Windows\SysWOW64\Pkmmigjo.exe Pkjqcg32.exe File created C:\Windows\SysWOW64\Dafoikjb.exe Dgnjqe32.exe File created C:\Windows\SysWOW64\Giaidnkf.exe Goldfelp.exe File created C:\Windows\SysWOW64\Afqhjj32.exe Aeokba32.exe File opened for modification C:\Windows\SysWOW64\Dkgldm32.exe Dboglhna.exe File created C:\Windows\SysWOW64\Okfampdd.dll Jgjmoace.exe File created C:\Windows\SysWOW64\Hqhepmkh.dll Giaidnkf.exe File created C:\Windows\SysWOW64\Bpcfcddp.exe Ahhaobfe.exe File created C:\Windows\SysWOW64\Ffemqioj.dll Abjeejep.exe File opened for modification C:\Windows\SysWOW64\Bmlbaqfh.exe Bdcnhk32.exe File opened for modification C:\Windows\SysWOW64\Einjdb32.exe Eanldqgf.exe File created C:\Windows\SysWOW64\Goldfelp.exe Gcedad32.exe File created C:\Windows\SysWOW64\Ooofcg32.exe Ohengmcf.exe File opened for modification C:\Windows\SysWOW64\Lcblan32.exe Ljigih32.exe File created C:\Windows\SysWOW64\Gbmhafee.dll Ibhicbao.exe File created C:\Windows\SysWOW64\Jqpebg32.exe Jghqia32.exe File opened for modification C:\Windows\SysWOW64\Kilgoe32.exe Kmegjdad.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibkmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clciod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjqcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbdci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpclofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iieepbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpdhifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmljcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfhkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmibmhoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhpdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhaeofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djicmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkjgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnmoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaklmhak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilbocej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdgipkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpogk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjeejep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjohmbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnimkom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifmimch.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngooj32.dll" Qjgcecja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abdeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghibjjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpceebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcdkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkdigfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnmpn32.dll" Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabponba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpoejbhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eanldqgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbchni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oapcfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll" Ailqfooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkpefi.dll" Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehpga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbfjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkedjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiqldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obffbh32.dll" Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjcpc32.dll" Neblqoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdchneko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqgchlio.dll" Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcedad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikldqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcpbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll" Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcbpni.dll" Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgjgn32.dll" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfqdk32.dll" Fmohco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajiigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjngbihn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbomjnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjgcecja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khojcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmclmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geindqkj.dll" Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Chmibmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koipglep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2416 1960 81444e85ace5c0ee917a958779255fb0N.exe 31 PID 1960 wrote to memory of 2416 1960 81444e85ace5c0ee917a958779255fb0N.exe 31 PID 1960 wrote to memory of 2416 1960 81444e85ace5c0ee917a958779255fb0N.exe 31 PID 1960 wrote to memory of 2416 1960 81444e85ace5c0ee917a958779255fb0N.exe 31 PID 2416 wrote to memory of 456 2416 Cgaaah32.exe 32 PID 2416 wrote to memory of 456 2416 Cgaaah32.exe 32 PID 2416 wrote to memory of 456 2416 Cgaaah32.exe 32 PID 2416 wrote to memory of 456 2416 Cgaaah32.exe 32 PID 456 wrote to memory of 2864 456 Ceebklai.exe 33 PID 456 wrote to memory of 2864 456 Ceebklai.exe 33 PID 456 wrote to memory of 2864 456 Ceebklai.exe 33 PID 456 wrote to memory of 2864 456 Ceebklai.exe 33 PID 2864 wrote to memory of 812 2864 Cmpgpond.exe 34 PID 2864 wrote to memory of 812 2864 Cmpgpond.exe 34 PID 2864 wrote to memory of 812 2864 Cmpgpond.exe 34 PID 2864 wrote to memory of 812 2864 Cmpgpond.exe 34 PID 812 wrote to memory of 2592 812 Ddaemh32.exe 35 PID 812 wrote to memory of 2592 812 Ddaemh32.exe 35 PID 812 wrote to memory of 2592 812 Ddaemh32.exe 35 PID 812 wrote to memory of 2592 812 Ddaemh32.exe 35 PID 2592 wrote to memory of 2300 2592 Eanldqgf.exe 36 PID 2592 wrote to memory of 2300 2592 Eanldqgf.exe 36 PID 2592 wrote to memory of 2300 2592 Eanldqgf.exe 36 PID 2592 wrote to memory of 2300 2592 Eanldqgf.exe 36 PID 2300 wrote to memory of 1760 2300 Einjdb32.exe 37 PID 2300 wrote to memory of 1760 2300 Einjdb32.exe 37 PID 2300 wrote to memory of 1760 2300 Einjdb32.exe 37 PID 2300 wrote to memory of 1760 2300 Einjdb32.exe 37 PID 1760 wrote to memory of 944 1760 Fhgppnan.exe 38 PID 1760 wrote to memory of 944 1760 Fhgppnan.exe 38 PID 1760 wrote to memory of 944 1760 Fhgppnan.exe 38 PID 1760 wrote to memory of 944 1760 Fhgppnan.exe 38 PID 944 wrote to memory of 2896 944 Fepjea32.exe 39 PID 944 wrote to memory of 2896 944 Fepjea32.exe 39 PID 944 wrote to memory of 2896 944 Fepjea32.exe 39 PID 944 wrote to memory of 2896 944 Fepjea32.exe 39 PID 2896 wrote to memory of 2960 2896 Gqlhkofn.exe 40 PID 2896 wrote to memory of 2960 2896 Gqlhkofn.exe 40 PID 2896 wrote to memory of 2960 2896 Gqlhkofn.exe 40 PID 2896 wrote to memory of 2960 2896 Gqlhkofn.exe 40 PID 2960 wrote to memory of 1136 2960 Gconbj32.exe 41 PID 2960 wrote to memory of 1136 2960 Gconbj32.exe 41 PID 2960 wrote to memory of 1136 2960 Gconbj32.exe 41 PID 2960 wrote to memory of 1136 2960 Gconbj32.exe 41 PID 1136 wrote to memory of 2968 1136 Hfbcidmk.exe 42 PID 1136 wrote to memory of 2968 1136 Hfbcidmk.exe 42 PID 1136 wrote to memory of 2968 1136 Hfbcidmk.exe 42 PID 1136 wrote to memory of 2968 1136 Hfbcidmk.exe 42 PID 2968 wrote to memory of 2488 2968 Hgflflqg.exe 43 PID 2968 wrote to memory of 2488 2968 Hgflflqg.exe 43 PID 2968 wrote to memory of 2488 2968 Hgflflqg.exe 43 PID 2968 wrote to memory of 2488 2968 Hgflflqg.exe 43 PID 2488 wrote to memory of 2040 2488 Ijkocg32.exe 44 PID 2488 wrote to memory of 2040 2488 Ijkocg32.exe 44 PID 2488 wrote to memory of 2040 2488 Ijkocg32.exe 44 PID 2488 wrote to memory of 2040 2488 Ijkocg32.exe 44 PID 2040 wrote to memory of 2236 2040 Iiqldc32.exe 45 PID 2040 wrote to memory of 2236 2040 Iiqldc32.exe 45 PID 2040 wrote to memory of 2236 2040 Iiqldc32.exe 45 PID 2040 wrote to memory of 2236 2040 Iiqldc32.exe 45 PID 2236 wrote to memory of 976 2236 Ipmqgmcd.exe 46 PID 2236 wrote to memory of 976 2236 Ipmqgmcd.exe 46 PID 2236 wrote to memory of 976 2236 Ipmqgmcd.exe 46 PID 2236 wrote to memory of 976 2236 Ipmqgmcd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\81444e85ace5c0ee917a958779255fb0N.exe"C:\Users\Admin\AppData\Local\Temp\81444e85ace5c0ee917a958779255fb0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe34⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe36⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe37⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe38⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe39⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe42⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe44⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe45⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe46⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe48⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe51⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe52⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe59⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe61⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Bddbjhlp.exeC:\Windows\system32\Bddbjhlp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe66⤵PID:2452
-
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe67⤵PID:2520
-
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1364 -
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe69⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe70⤵PID:2296
-
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe71⤵PID:2964
-
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe72⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe73⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe74⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe75⤵PID:2784
-
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe76⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe78⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe79⤵PID:2064
-
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Eemnnn32.exeC:\Windows\system32\Eemnnn32.exe81⤵PID:900
-
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe83⤵PID:1748
-
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe84⤵PID:2316
-
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe85⤵
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe86⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe87⤵PID:3044
-
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe88⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe89⤵PID:1932
-
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe91⤵PID:860
-
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe92⤵PID:2032
-
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe93⤵PID:2900
-
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe95⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe96⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Gamnhq32.exeC:\Windows\system32\Gamnhq32.exe97⤵PID:1528
-
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe98⤵PID:1728
-
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe99⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe100⤵PID:2872
-
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe102⤵PID:1276
-
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe103⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Hcgmfgfd.exeC:\Windows\system32\Hcgmfgfd.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe105⤵PID:2996
-
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe106⤵PID:972
-
C:\Windows\SysWOW64\Hfjbmb32.exeC:\Windows\system32\Hfjbmb32.exe107⤵PID:1920
-
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe108⤵PID:1732
-
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1068 -
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe110⤵PID:1736
-
C:\Windows\SysWOW64\Ikldqile.exeC:\Windows\system32\Ikldqile.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe115⤵PID:760
-
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe116⤵
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Jmdgipkk.exeC:\Windows\system32\Jmdgipkk.exe117⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Jgjkfi32.exeC:\Windows\system32\Jgjkfi32.exe118⤵
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe119⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe120⤵PID:436
-
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe121⤵PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-