Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 23:51
Behavioral task
behavioral1
Sample
61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe
-
Size
256KB
-
MD5
a4f39d7ce267f19c6b85815cece14d10
-
SHA1
fcd4deba4b7ae526b408f93577efe3c0c5a76303
-
SHA256
61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75d
-
SHA512
17b05a8d78ba9fb7c492dce523e5e1c218282233e41128df982e5f5ce06ba07b44ec65ef06009b27a1f025827d8fc1afebd9b442c2912f3cd2e0068a0ddfd4a8
-
SSDEEP
3072:BKki11OI7XXMx2PfQ1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+j:BKk88+Mx2P41PY1PRe19V+j
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpijgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meakbjaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjlqpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppidbidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgcingnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbchbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjkbfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpodedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljndga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieepad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhfpljnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeahpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngfhbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aimfcedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdgkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkfglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifoncgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pildih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfbnfcli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenhfqle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaegaaah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfoekhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beoekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkjeod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcifdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpodhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedeea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimedaoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnmoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pipklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghcdpjqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjclfmfe.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Cjikaa32.exe 2800 Cligkdlm.exe 2796 Cpkmehol.exe 2976 Dihkimag.exe 2496 Dglkba32.exe 1884 Dilddl32.exe 1656 Eokiabjf.exe 2380 Fcdele32.exe 3048 Flmidkmn.exe 2904 Ffjghppi.exe 2200 Fbqhnqen.exe 1300 Gbcecpck.exe 2044 Gnjehaio.exe 2628 Hjhlnahk.exe 2376 Hpdefh32.exe 1856 Hamgno32.exe 540 Iekpdn32.exe 1972 Imkndofe.exe 1668 Ilpkel32.exe 2808 Jblpge32.exe 1740 Jkgelh32.exe 740 Joenaf32.exe 568 Kjfdcc32.exe 1092 Kkljfj32.exe 2144 Lfaocc32.exe 1580 Lfckhc32.exe 2064 Lnambeed.exe 2292 Ljhngfkh.exe 2980 Mmifiahi.exe 2244 Midqiaih.exe 2728 Mnaiah32.exe 2652 Mifmoa32.exe 2140 Nnfbmgcj.exe 1920 Njlcah32.exe 2940 Nhbqqlfe.exe 2892 Nfhmai32.exe 3064 Odlnkmjg.exe 2656 Oiifcdhn.exe 1648 Olioeoeo.exe 1748 Oebdndlp.exe 2436 Ohbmppia.exe 2364 Oefmid32.exe 2368 Pkcfak32.exe 1652 Pihbbgjj.exe 768 Pikohg32.exe 760 Pimlmf32.exe 1836 Phbinc32.exe 2360 Agloko32.exe 1724 Adppdckh.exe 1004 Agaifnhi.exe 2560 Adeiobgc.exe 1608 Bmbkid32.exe 2968 Bmegodpi.exe 3044 Bbapgknp.exe 2668 Bkjdpp32.exe 2284 Bphmfo32.exe 2760 Bkonkpqk.exe 316 Cakfcfoc.exe 2708 Ckajqo32.exe 1072 Cancif32.exe 2452 Cnacbj32.exe 2076 Cpcpjbah.exe 1900 Cfmhfm32.exe 2476 Dbkolmia.exe -
Loads dropped DLL 64 IoCs
pid Process 1348 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe 1348 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe 2236 Cjikaa32.exe 2236 Cjikaa32.exe 2800 Cligkdlm.exe 2800 Cligkdlm.exe 2796 Cpkmehol.exe 2796 Cpkmehol.exe 2976 Dihkimag.exe 2976 Dihkimag.exe 2496 Dglkba32.exe 2496 Dglkba32.exe 1884 Dilddl32.exe 1884 Dilddl32.exe 1656 Eokiabjf.exe 1656 Eokiabjf.exe 2380 Fcdele32.exe 2380 Fcdele32.exe 3048 Flmidkmn.exe 3048 Flmidkmn.exe 2904 Ffjghppi.exe 2904 Ffjghppi.exe 2200 Fbqhnqen.exe 2200 Fbqhnqen.exe 1300 Gbcecpck.exe 1300 Gbcecpck.exe 2044 Gnjehaio.exe 2044 Gnjehaio.exe 2628 Hjhlnahk.exe 2628 Hjhlnahk.exe 2376 Hpdefh32.exe 2376 Hpdefh32.exe 1856 Hamgno32.exe 1856 Hamgno32.exe 540 Iekpdn32.exe 540 Iekpdn32.exe 1972 Imkndofe.exe 1972 Imkndofe.exe 1668 Ilpkel32.exe 1668 Ilpkel32.exe 2808 Jblpge32.exe 2808 Jblpge32.exe 1740 Jkgelh32.exe 1740 Jkgelh32.exe 740 Joenaf32.exe 740 Joenaf32.exe 568 Kjfdcc32.exe 568 Kjfdcc32.exe 1092 Kkljfj32.exe 1092 Kkljfj32.exe 2144 Lfaocc32.exe 2144 Lfaocc32.exe 1580 Lfckhc32.exe 1580 Lfckhc32.exe 2064 Lnambeed.exe 2064 Lnambeed.exe 2292 Ljhngfkh.exe 2292 Ljhngfkh.exe 2980 Mmifiahi.exe 2980 Mmifiahi.exe 2244 Midqiaih.exe 2244 Midqiaih.exe 2728 Mnaiah32.exe 2728 Mnaiah32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cnacbj32.exe Cancif32.exe File created C:\Windows\SysWOW64\Immbmp32.dll Fmholgpj.exe File created C:\Windows\SysWOW64\Ccmcfc32.exe Cpogjh32.exe File opened for modification C:\Windows\SysWOW64\Gcfioj32.exe Ggphji32.exe File created C:\Windows\SysWOW64\Ppbfmdfo.exe Pfjbdn32.exe File created C:\Windows\SysWOW64\Cpccnp32.exe Caofmc32.exe File created C:\Windows\SysWOW64\Pocbcp32.dll Mklegm32.exe File opened for modification C:\Windows\SysWOW64\Dkookd32.exe Djnbdlla.exe File opened for modification C:\Windows\SysWOW64\Hdcebagp.exe Hjnaehgj.exe File created C:\Windows\SysWOW64\Iaqnbb32.exe Ilcfjkgj.exe File created C:\Windows\SysWOW64\Abehhc32.dll Abodlk32.exe File created C:\Windows\SysWOW64\Aoclac32.dll Inbobn32.exe File created C:\Windows\SysWOW64\Aiclffeg.dll Hcmmhmhd.exe File created C:\Windows\SysWOW64\Lelphbon.exe Process not Found File opened for modification C:\Windows\SysWOW64\Klkjbf32.exe Kpdjnefm.exe File created C:\Windows\SysWOW64\Kloggici.dll Cjmaed32.exe File opened for modification C:\Windows\SysWOW64\Inmdjjok.exe Ieepad32.exe File opened for modification C:\Windows\SysWOW64\Nqngkcjm.exe Nfhcmkkg.exe File opened for modification C:\Windows\SysWOW64\Hodpfg32.exe Process not Found File created C:\Windows\SysWOW64\Iigclhhk.dll Process not Found File created C:\Windows\SysWOW64\Idalfo32.dll Process not Found File created C:\Windows\SysWOW64\Bbqddm32.dll Aenileon.exe File opened for modification C:\Windows\SysWOW64\Kppohf32.exe Kifgllbc.exe File created C:\Windows\SysWOW64\Odjikh32.exe Ngfhbd32.exe File opened for modification C:\Windows\SysWOW64\Fpgpjdnf.exe Fjkgampo.exe File created C:\Windows\SysWOW64\Koafcppm.exe Kjdmjiae.exe File created C:\Windows\SysWOW64\Aopffk32.exe Process not Found File created C:\Windows\SysWOW64\Gohqhl32.exe Geplpfnh.exe File created C:\Windows\SysWOW64\Mlljiklc.exe Mdaedhoh.exe File created C:\Windows\SysWOW64\Lhodgebh.exe Lbdljk32.exe File created C:\Windows\SysWOW64\Dioinf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iefeaj32.exe Ijmdql32.exe File created C:\Windows\SysWOW64\Moahdd32.exe Mnakjaoc.exe File created C:\Windows\SysWOW64\Jkfkjemd.exe Jcjffc32.exe File created C:\Windows\SysWOW64\Fgmlfo32.dll Oljanhmc.exe File opened for modification C:\Windows\SysWOW64\Campbj32.exe Cialng32.exe File opened for modification C:\Windows\SysWOW64\Ndlanf32.exe Mheqie32.exe File opened for modification C:\Windows\SysWOW64\Hgconl32.exe Gjpodhfi.exe File created C:\Windows\SysWOW64\Mnakjaoc.exe Mhdcbjal.exe File created C:\Windows\SysWOW64\Icbjjdmb.dll Gadidabc.exe File created C:\Windows\SysWOW64\Hcbndcka.dll Afamgpga.exe File created C:\Windows\SysWOW64\Clcjjimp.dll Nikflm32.exe File created C:\Windows\SysWOW64\Jckiolgm.exe Jlaqba32.exe File created C:\Windows\SysWOW64\Hdfgejal.dll Process not Found File created C:\Windows\SysWOW64\Lgpjcnhh.exe Kmgekh32.exe File created C:\Windows\SysWOW64\Gaaicjed.dll Indiodbh.exe File created C:\Windows\SysWOW64\Qmlkcpgf.dll Bfoffmhd.exe File created C:\Windows\SysWOW64\Epijdn32.dll Agoodkgk.exe File opened for modification C:\Windows\SysWOW64\Bholco32.exe Bbbckh32.exe File created C:\Windows\SysWOW64\Bjmool32.dll Fjbfek32.exe File created C:\Windows\SysWOW64\Lfaocc32.exe Kkljfj32.exe File created C:\Windows\SysWOW64\Fplknh32.exe Fgcgebhd.exe File created C:\Windows\SysWOW64\Lpkmkl32.exe Lfbibfmi.exe File created C:\Windows\SysWOW64\Iicoai32.exe Ipkkhckl.exe File created C:\Windows\SysWOW64\Hjhlnahk.exe Gnjehaio.exe File created C:\Windows\SysWOW64\Kjfdcc32.exe Joenaf32.exe File created C:\Windows\SysWOW64\Ikgmap32.dll Hcllmi32.exe File created C:\Windows\SysWOW64\Efoobkej.exe Eoefea32.exe File created C:\Windows\SysWOW64\Jocceo32.exe Jekoljgo.exe File created C:\Windows\SysWOW64\Mpbfddef.exe Memagk32.exe File created C:\Windows\SysWOW64\Ngmgfpki.dll Iikneggd.exe File created C:\Windows\SysWOW64\Eohedi32.exe Eikmkbeg.exe File created C:\Windows\SysWOW64\Hdmdcc32.exe Hlbooaoe.exe File created C:\Windows\SysWOW64\Gckmgi32.exe Gqmqkn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecgafkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcbpbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenhfqle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbaam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idabbpgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnedpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdcfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclcgoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaepoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkcfbkfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflklaoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloimcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqneaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqnmeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcqhagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjqlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkcdgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckajqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjieedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlife32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdgkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlilfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjikaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkndofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmggcmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbfddef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcebagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqcffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolohhpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmahbhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbnfcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpjcaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlkoknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbaelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheqie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjpcmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoefea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camlpldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoqeekme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclolakk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qafqbm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcnomjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfgnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcieef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofkoijhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifjoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidldm32.dll" Eiplecnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fflehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhlmn32.dll" Ibehna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jakejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbppqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpiiajg.dll" Eloimcca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blcacnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beoekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfhkenj.dll" Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehmgfd.dll" Hcghffen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkncj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckahlgg.dll" Gjkfglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofhgafa.dll" Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfplbaim.dll" Djhnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jedeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daoeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bphgedjk.dll" Odmhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpgja32.dll" Mmpodedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adppdckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajppjg32.dll" Nllafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfoqe32.dll" Eiimci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhodgebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjlqpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganbem32.dll" Boadlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebnokjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhgfh32.dll" Hlliof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glmckikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiglpl32.dll" Glpbiaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojnelefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnalqca.dll" Jijqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhojbk32.dll" Oqajqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahcoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odkkdqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emadjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmpodedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeimblp.dll" Kpcbhlki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afeold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daocjoig.dll" Koacjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggbcamq.dll" Mpbfddef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 2236 1348 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe 30 PID 1348 wrote to memory of 2236 1348 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe 30 PID 1348 wrote to memory of 2236 1348 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe 30 PID 1348 wrote to memory of 2236 1348 61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe 30 PID 2236 wrote to memory of 2800 2236 Cjikaa32.exe 31 PID 2236 wrote to memory of 2800 2236 Cjikaa32.exe 31 PID 2236 wrote to memory of 2800 2236 Cjikaa32.exe 31 PID 2236 wrote to memory of 2800 2236 Cjikaa32.exe 31 PID 2800 wrote to memory of 2796 2800 Cligkdlm.exe 32 PID 2800 wrote to memory of 2796 2800 Cligkdlm.exe 32 PID 2800 wrote to memory of 2796 2800 Cligkdlm.exe 32 PID 2800 wrote to memory of 2796 2800 Cligkdlm.exe 32 PID 2796 wrote to memory of 2976 2796 Cpkmehol.exe 33 PID 2796 wrote to memory of 2976 2796 Cpkmehol.exe 33 PID 2796 wrote to memory of 2976 2796 Cpkmehol.exe 33 PID 2796 wrote to memory of 2976 2796 Cpkmehol.exe 33 PID 2976 wrote to memory of 2496 2976 Dihkimag.exe 34 PID 2976 wrote to memory of 2496 2976 Dihkimag.exe 34 PID 2976 wrote to memory of 2496 2976 Dihkimag.exe 34 PID 2976 wrote to memory of 2496 2976 Dihkimag.exe 34 PID 2496 wrote to memory of 1884 2496 Dglkba32.exe 35 PID 2496 wrote to memory of 1884 2496 Dglkba32.exe 35 PID 2496 wrote to memory of 1884 2496 Dglkba32.exe 35 PID 2496 wrote to memory of 1884 2496 Dglkba32.exe 35 PID 1884 wrote to memory of 1656 1884 Dilddl32.exe 36 PID 1884 wrote to memory of 1656 1884 Dilddl32.exe 36 PID 1884 wrote to memory of 1656 1884 Dilddl32.exe 36 PID 1884 wrote to memory of 1656 1884 Dilddl32.exe 36 PID 1656 wrote to memory of 2380 1656 Eokiabjf.exe 37 PID 1656 wrote to memory of 2380 1656 Eokiabjf.exe 37 PID 1656 wrote to memory of 2380 1656 Eokiabjf.exe 37 PID 1656 wrote to memory of 2380 1656 Eokiabjf.exe 37 PID 2380 wrote to memory of 3048 2380 Fcdele32.exe 38 PID 2380 wrote to memory of 3048 2380 Fcdele32.exe 38 PID 2380 wrote to memory of 3048 2380 Fcdele32.exe 38 PID 2380 wrote to memory of 3048 2380 Fcdele32.exe 38 PID 3048 wrote to memory of 2904 3048 Flmidkmn.exe 39 PID 3048 wrote to memory of 2904 3048 Flmidkmn.exe 39 PID 3048 wrote to memory of 2904 3048 Flmidkmn.exe 39 PID 3048 wrote to memory of 2904 3048 Flmidkmn.exe 39 PID 2904 wrote to memory of 2200 2904 Ffjghppi.exe 40 PID 2904 wrote to memory of 2200 2904 Ffjghppi.exe 40 PID 2904 wrote to memory of 2200 2904 Ffjghppi.exe 40 PID 2904 wrote to memory of 2200 2904 Ffjghppi.exe 40 PID 2200 wrote to memory of 1300 2200 Fbqhnqen.exe 41 PID 2200 wrote to memory of 1300 2200 Fbqhnqen.exe 41 PID 2200 wrote to memory of 1300 2200 Fbqhnqen.exe 41 PID 2200 wrote to memory of 1300 2200 Fbqhnqen.exe 41 PID 1300 wrote to memory of 2044 1300 Gbcecpck.exe 42 PID 1300 wrote to memory of 2044 1300 Gbcecpck.exe 42 PID 1300 wrote to memory of 2044 1300 Gbcecpck.exe 42 PID 1300 wrote to memory of 2044 1300 Gbcecpck.exe 42 PID 2044 wrote to memory of 2628 2044 Gnjehaio.exe 43 PID 2044 wrote to memory of 2628 2044 Gnjehaio.exe 43 PID 2044 wrote to memory of 2628 2044 Gnjehaio.exe 43 PID 2044 wrote to memory of 2628 2044 Gnjehaio.exe 43 PID 2628 wrote to memory of 2376 2628 Hjhlnahk.exe 44 PID 2628 wrote to memory of 2376 2628 Hjhlnahk.exe 44 PID 2628 wrote to memory of 2376 2628 Hjhlnahk.exe 44 PID 2628 wrote to memory of 2376 2628 Hjhlnahk.exe 44 PID 2376 wrote to memory of 1856 2376 Hpdefh32.exe 45 PID 2376 wrote to memory of 1856 2376 Hpdefh32.exe 45 PID 2376 wrote to memory of 1856 2376 Hpdefh32.exe 45 PID 2376 wrote to memory of 1856 2376 Hpdefh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe"C:\Users\Admin\AppData\Local\Temp\61f45d7e57f38d57509c2e535829d49f3a6f78c4273ffaf177b9d210a594d75dN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Cpkmehol.exeC:\Windows\system32\Cpkmehol.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Dilddl32.exeC:\Windows\system32\Dilddl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Flmidkmn.exeC:\Windows\system32\Flmidkmn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Imkndofe.exeC:\Windows\system32\Imkndofe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Midqiaih.exeC:\Windows\system32\Midqiaih.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe33⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe34⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe35⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe36⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe37⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe38⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe39⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe40⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe41⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe42⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe45⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe46⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe47⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe48⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe49⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe51⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe52⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe53⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bmegodpi.exeC:\Windows\system32\Bmegodpi.exe54⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe55⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe56⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Bphmfo32.exeC:\Windows\system32\Bphmfo32.exe57⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe58⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe59⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe62⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe63⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe64⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe65⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe66⤵PID:944
-
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe67⤵PID:360
-
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe68⤵PID:1192
-
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe70⤵PID:660
-
C:\Windows\SysWOW64\Eeiggk32.exeC:\Windows\system32\Eeiggk32.exe71⤵PID:2960
-
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe72⤵PID:2832
-
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe73⤵PID:2692
-
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe74⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe75⤵PID:2164
-
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe76⤵PID:2900
-
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe77⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe78⤵PID:2024
-
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe79⤵PID:1096
-
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe80⤵PID:2072
-
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe81⤵PID:2636
-
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe82⤵PID:1124
-
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe83⤵PID:2536
-
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe85⤵PID:1088
-
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe86⤵PID:1944
-
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe87⤵PID:1512
-
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe88⤵PID:2820
-
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe89⤵PID:2924
-
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe90⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe92⤵PID:3012
-
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe93⤵PID:1492
-
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe94⤵PID:2732
-
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe95⤵PID:1860
-
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe96⤵PID:2348
-
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe97⤵PID:1700
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe98⤵PID:2612
-
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe99⤵PID:1108
-
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe100⤵PID:2340
-
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe101⤵PID:916
-
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe102⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe103⤵PID:576
-
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe104⤵PID:2204
-
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe105⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe107⤵PID:2848
-
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe108⤵PID:2792
-
C:\Windows\SysWOW64\Kheaoj32.exeC:\Windows\system32\Kheaoj32.exe109⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe110⤵PID:2440
-
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe111⤵PID:2540
-
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe112⤵
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe113⤵PID:2020
-
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe116⤵PID:2088
-
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe117⤵PID:1180
-
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe118⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe119⤵PID:524
-
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe120⤵PID:3004
-
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe121⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-