Analysis
-
max time kernel
140s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe
-
Size
304KB
-
MD5
be644317aa7fb04d5d511fc9397a713b
-
SHA1
d33d063a17cd6feca4a43404d807c3299c44fecb
-
SHA256
277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356
-
SHA512
280fa680a97f8281fd0ebd70b05ef3f7afce7e49ee298be02ce91d90701cc7407b49675d8c971f644e3e42849e91e602bdd99138318f610bf32eb935a77a3269
-
SSDEEP
6144:6JNnmEbp7cO7JfnrFVoXJtpNr1RgAaa6FlFlcOuLr2/24qXPAbgPBFpYrFVO/fna:67m2vJfnYdsWfna
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnoapba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepffelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqnbffkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpgdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekacnjfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgojdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boblbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elolfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfqlcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgpfdoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclqhfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkhfkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhehoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdmjiae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqhffj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikmkbeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojbii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaoadb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfdmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipefba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abqlpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqomqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pockoeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bijakkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfidhcbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejfelin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angmdoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehpoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ellfmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koafcppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmigke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbphfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadikaaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmbohhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhhmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajokmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidajaiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlafmcpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkainp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqomqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalcdngp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlblq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelcjkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjhippb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epchbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijokcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccikghel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnanceem.exe -
Executes dropped EXE 64 IoCs
pid Process 2316 Lqdfmihh.exe 2016 Lnhffm32.exe 2768 Lkbphfab.exe 2700 Lblhep32.exe 2312 Mihngj32.exe 2740 Mikjmi32.exe 2648 Mnhbep32.exe 2256 Mfedobef.exe 2156 Mheqie32.exe 760 Nfjnja32.exe 2912 Nfljpa32.exe 2044 Nfogeamk.exe 548 Nhbpbi32.exe 2020 Okhboc32.exe 2384 Oaaklmao.exe 2176 Poldnf32.exe 2060 Phdiglap.exe 916 Pockoeeg.exe 1944 Pfmclold.exe 2192 Phkohkkh.exe 3052 Qqiqam32.exe 984 Ajcbpbkn.exe 744 Aqnjml32.exe 1736 Ajfoea32.exe 1600 Aikkgnnc.exe 2452 Aediaoae.exe 2160 Bknani32.exe 2196 Beibln32.exe 2860 Bggohi32.exe 2800 Bjfkde32.exe 2624 Bfohoe32.exe 2172 Cpjimk32.exe 2812 Cbhejf32.exe 2024 Cibnfpjg.exe 2660 Coacdg32.exe 2960 Chldbl32.exe 1752 Doflofbf.exe 1784 Dadikaaj.exe 2308 Dhqnnk32.exe 2356 Ddgnbl32.exe 3040 Didgkc32.exe 1900 Dlbcgo32.exe 1048 Dekgpdqc.exe 1968 Dmbpaa32.exe 1616 Doclijgd.exe 2260 Dgjdjghf.exe 2548 Ehlqao32.exe 1216 Epchbm32.exe 1240 Eepakc32.exe 2036 Eikmkbeg.exe 2124 Eklicjkf.exe 660 Edenlp32.exe 2772 Ellfmm32.exe 2880 Eojbii32.exe 2900 Edgkap32.exe 2576 Ekacnjfp.exe 756 Epnkfq32.exe 2240 Ehechn32.exe 2952 Enblpe32.exe 2212 Fpphlp32.exe 1136 Fcodhl32.exe 2096 Fjimefie.exe 2528 Fdnabo32.exe 2456 Fgmmnj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1020 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe 1020 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe 2316 Lqdfmihh.exe 2316 Lqdfmihh.exe 2016 Lnhffm32.exe 2016 Lnhffm32.exe 2768 Lkbphfab.exe 2768 Lkbphfab.exe 2700 Lblhep32.exe 2700 Lblhep32.exe 2312 Mihngj32.exe 2312 Mihngj32.exe 2740 Mikjmi32.exe 2740 Mikjmi32.exe 2648 Mnhbep32.exe 2648 Mnhbep32.exe 2256 Mfedobef.exe 2256 Mfedobef.exe 2156 Mheqie32.exe 2156 Mheqie32.exe 760 Nfjnja32.exe 760 Nfjnja32.exe 2912 Nfljpa32.exe 2912 Nfljpa32.exe 2044 Nfogeamk.exe 2044 Nfogeamk.exe 548 Nhbpbi32.exe 548 Nhbpbi32.exe 2020 Okhboc32.exe 2020 Okhboc32.exe 2384 Oaaklmao.exe 2384 Oaaklmao.exe 2176 Poldnf32.exe 2176 Poldnf32.exe 2060 Phdiglap.exe 2060 Phdiglap.exe 916 Pockoeeg.exe 916 Pockoeeg.exe 1944 Pfmclold.exe 1944 Pfmclold.exe 2192 Phkohkkh.exe 2192 Phkohkkh.exe 3052 Qqiqam32.exe 3052 Qqiqam32.exe 984 Ajcbpbkn.exe 984 Ajcbpbkn.exe 744 Aqnjml32.exe 744 Aqnjml32.exe 1736 Ajfoea32.exe 1736 Ajfoea32.exe 1600 Aikkgnnc.exe 1600 Aikkgnnc.exe 2452 Aediaoae.exe 2452 Aediaoae.exe 2160 Bknani32.exe 2160 Bknani32.exe 2196 Beibln32.exe 2196 Beibln32.exe 2860 Bggohi32.exe 2860 Bggohi32.exe 2800 Bjfkde32.exe 2800 Bjfkde32.exe 2624 Bfohoe32.exe 2624 Bfohoe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fjmfpe32.exe Fgojdj32.exe File created C:\Windows\SysWOW64\Gkehhlef.exe Ggjmhn32.exe File created C:\Windows\SysWOW64\Joomnm32.exe Jkdanngk.exe File opened for modification C:\Windows\SysWOW64\Lcjamb32.exe Lbieejff.exe File created C:\Windows\SysWOW64\Ghfcbfjl.dll Dbgknc32.exe File created C:\Windows\SysWOW64\Bicbeq32.dll Hcbogk32.exe File created C:\Windows\SysWOW64\Qjehem32.dll Jkdanngk.exe File opened for modification C:\Windows\SysWOW64\Llhcad32.exe Lhlgaedj.exe File created C:\Windows\SysWOW64\Fojkij32.dll Nlafmcpa.exe File created C:\Windows\SysWOW64\Nhombc32.exe Nphdaeol.exe File created C:\Windows\SysWOW64\Cegcok32.dll Pokndp32.exe File created C:\Windows\SysWOW64\Bjqjoolp.exe Bgbncdmm.exe File created C:\Windows\SysWOW64\Hfknfknh.dll Dcpagg32.exe File created C:\Windows\SysWOW64\Mghgbeni.dll Eepakc32.exe File opened for modification C:\Windows\SysWOW64\Goohckob.exe Fiepga32.exe File created C:\Windows\SysWOW64\Aelpph32.dll Acdemegf.exe File opened for modification C:\Windows\SysWOW64\Hnoane32.exe Hgdhakpb.exe File opened for modification C:\Windows\SysWOW64\Pdmpgfae.exe Pigkjmap.exe File created C:\Windows\SysWOW64\Jhiiaqdl.dll Bihdfkoe.exe File created C:\Windows\SysWOW64\Bahkggfo.dll Bknani32.exe File opened for modification C:\Windows\SysWOW64\Ekacnjfp.exe Edgkap32.exe File created C:\Windows\SysWOW64\Lfpgkicd.exe Lbdljk32.exe File opened for modification C:\Windows\SysWOW64\Nndkdn32.exe Njiocobg.exe File created C:\Windows\SysWOW64\Hmnoih32.dll Nfpphp32.exe File opened for modification C:\Windows\SysWOW64\Cjbccb32.exe Ccikghel.exe File created C:\Windows\SysWOW64\Nlflmj32.dll Kdaoacif.exe File created C:\Windows\SysWOW64\Kpliac32.exe Klqmaebl.exe File opened for modification C:\Windows\SysWOW64\Mnbbpkjg.exe Mfkjnmje.exe File created C:\Windows\SysWOW64\Megmpi32.exe Mnnecoah.exe File created C:\Windows\SysWOW64\Idjhjgak.dll Qlmnfh32.exe File created C:\Windows\SysWOW64\Ckifcl32.dll Ajidnp32.exe File created C:\Windows\SysWOW64\Cmekkcfl.dll Bqhffj32.exe File opened for modification C:\Windows\SysWOW64\Cijmjn32.exe Ccmdbg32.exe File opened for modification C:\Windows\SysWOW64\Edenlp32.exe Eklicjkf.exe File created C:\Windows\SysWOW64\Camkkbdo.dll Fiepga32.exe File created C:\Windows\SysWOW64\Dmcidqlf.exe Dlblmh32.exe File opened for modification C:\Windows\SysWOW64\Eiocdand.exe Eklbid32.exe File created C:\Windows\SysWOW64\Pjnikd32.dll Immqeq32.exe File created C:\Windows\SysWOW64\Obngnphg.exe Olcoaf32.exe File created C:\Windows\SysWOW64\Gogilc32.dll Abqlpn32.exe File opened for modification C:\Windows\SysWOW64\Phdiglap.exe Poldnf32.exe File created C:\Windows\SysWOW64\Ehlqao32.exe Dgjdjghf.exe File opened for modification C:\Windows\SysWOW64\Mnnecoah.exe Mmlilfkj.exe File created C:\Windows\SysWOW64\Gcgjiifh.dll Dhdcfj32.exe File opened for modification C:\Windows\SysWOW64\Mnhbep32.exe Mikjmi32.exe File created C:\Windows\SysWOW64\Jnbccn32.dll Enblpe32.exe File opened for modification C:\Windows\SysWOW64\Hepffelp.exe Hbajjiml.exe File opened for modification C:\Windows\SysWOW64\Eilfoapg.exe Ehkjgi32.exe File created C:\Windows\SysWOW64\Okcfob32.dll Ehlqao32.exe File created C:\Windows\SysWOW64\Koodecap.dll Hcmmhmhd.exe File opened for modification C:\Windows\SysWOW64\Ihehbpel.exe Ieglfd32.exe File opened for modification C:\Windows\SysWOW64\Koafcppm.exe Kjdmjiae.exe File opened for modification C:\Windows\SysWOW64\Lbdljk32.exe Llhcad32.exe File created C:\Windows\SysWOW64\Njiocobg.exe Nelgkhdp.exe File created C:\Windows\SysWOW64\Hncjiecj.exe Hgiblk32.exe File opened for modification C:\Windows\SysWOW64\Aikkgnnc.exe Ajfoea32.exe File created C:\Windows\SysWOW64\Dfjpec32.dll Mgkghp32.exe File opened for modification C:\Windows\SysWOW64\Nhhfbd32.exe Nejjfh32.exe File created C:\Windows\SysWOW64\Odcmagip.exe Oogdiqki.exe File created C:\Windows\SysWOW64\Bfjhippb.exe Bfgkdp32.exe File created C:\Windows\SysWOW64\Fdfpfm32.exe Fnlhibff.exe File created C:\Windows\SysWOW64\Ekacnjfp.exe Edgkap32.exe File created C:\Windows\SysWOW64\Lnnidk32.exe Ldedlfhl.exe File created C:\Windows\SysWOW64\Aalcdngp.exe Anpgdp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5044 5020 WerFault.exe 360 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmpcpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjqjoolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdaoacif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmdbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iifnpagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodhca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnhiaof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfqjible.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaklei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbieejff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhagaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflfidpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndadld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boblbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enblpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlblq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmddmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klqmaebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeejpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmdljal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpjimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhombc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfmkmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hncjiecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomcgfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqnbffkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhhmele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmcmcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigkjmap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnboonmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnpjnem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehikpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feofpqkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfnen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epchbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjicdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhdkhoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpgdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdcnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlilfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njklioqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obngnphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccikghel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnegod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmmhmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepffelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnecoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnanceem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqojpqdp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onqbddao.dll" Daoeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfojpcli.dll" Anpgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlifcag.dll" Fdafkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfncn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmappn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foencfda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Megmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkhno32.dll" Lhodgebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccfoah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdoblckh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpliac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhfhaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicfpkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfodloop.dll" Doflofbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepjgaid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehikpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoiddi32.dll" Qjnajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgbkhca.dll" Bgbncdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfefchpb.dll" Gogggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iidajaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pockoeeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doclijgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfpphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfkde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfccbeli.dll" Pieodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klghoe32.dll" Angmdoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbedqcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphdaeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifeenfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapemdml.dll" Fpphlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjkije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hklkhk32.dll" Ibfcei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodqcnja.dll" Qcdinbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjbophb.dll" Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjjblih.dll" Ccmdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnecoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbbcn32.dll" Ellfmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clhifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdojendk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggegknp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhenlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqnbffkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahganf32.dll" Qjleem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgfbfkh.dll" Bfldopno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgjiifh.dll" Dhdcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaaklmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlmnfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkainp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblmkmdg.dll" Mocogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eklbid32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1020 wrote to memory of 2316 1020 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe 29 PID 1020 wrote to memory of 2316 1020 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe 29 PID 1020 wrote to memory of 2316 1020 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe 29 PID 1020 wrote to memory of 2316 1020 277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe 29 PID 2316 wrote to memory of 2016 2316 Lqdfmihh.exe 30 PID 2316 wrote to memory of 2016 2316 Lqdfmihh.exe 30 PID 2316 wrote to memory of 2016 2316 Lqdfmihh.exe 30 PID 2316 wrote to memory of 2016 2316 Lqdfmihh.exe 30 PID 2016 wrote to memory of 2768 2016 Lnhffm32.exe 31 PID 2016 wrote to memory of 2768 2016 Lnhffm32.exe 31 PID 2016 wrote to memory of 2768 2016 Lnhffm32.exe 31 PID 2016 wrote to memory of 2768 2016 Lnhffm32.exe 31 PID 2768 wrote to memory of 2700 2768 Lkbphfab.exe 32 PID 2768 wrote to memory of 2700 2768 Lkbphfab.exe 32 PID 2768 wrote to memory of 2700 2768 Lkbphfab.exe 32 PID 2768 wrote to memory of 2700 2768 Lkbphfab.exe 32 PID 2700 wrote to memory of 2312 2700 Lblhep32.exe 33 PID 2700 wrote to memory of 2312 2700 Lblhep32.exe 33 PID 2700 wrote to memory of 2312 2700 Lblhep32.exe 33 PID 2700 wrote to memory of 2312 2700 Lblhep32.exe 33 PID 2312 wrote to memory of 2740 2312 Mihngj32.exe 34 PID 2312 wrote to memory of 2740 2312 Mihngj32.exe 34 PID 2312 wrote to memory of 2740 2312 Mihngj32.exe 34 PID 2312 wrote to memory of 2740 2312 Mihngj32.exe 34 PID 2740 wrote to memory of 2648 2740 Mikjmi32.exe 35 PID 2740 wrote to memory of 2648 2740 Mikjmi32.exe 35 PID 2740 wrote to memory of 2648 2740 Mikjmi32.exe 35 PID 2740 wrote to memory of 2648 2740 Mikjmi32.exe 35 PID 2648 wrote to memory of 2256 2648 Mnhbep32.exe 36 PID 2648 wrote to memory of 2256 2648 Mnhbep32.exe 36 PID 2648 wrote to memory of 2256 2648 Mnhbep32.exe 36 PID 2648 wrote to memory of 2256 2648 Mnhbep32.exe 36 PID 2256 wrote to memory of 2156 2256 Mfedobef.exe 37 PID 2256 wrote to memory of 2156 2256 Mfedobef.exe 37 PID 2256 wrote to memory of 2156 2256 Mfedobef.exe 37 PID 2256 wrote to memory of 2156 2256 Mfedobef.exe 37 PID 2156 wrote to memory of 760 2156 Mheqie32.exe 38 PID 2156 wrote to memory of 760 2156 Mheqie32.exe 38 PID 2156 wrote to memory of 760 2156 Mheqie32.exe 38 PID 2156 wrote to memory of 760 2156 Mheqie32.exe 38 PID 760 wrote to memory of 2912 760 Nfjnja32.exe 39 PID 760 wrote to memory of 2912 760 Nfjnja32.exe 39 PID 760 wrote to memory of 2912 760 Nfjnja32.exe 39 PID 760 wrote to memory of 2912 760 Nfjnja32.exe 39 PID 2912 wrote to memory of 2044 2912 Nfljpa32.exe 40 PID 2912 wrote to memory of 2044 2912 Nfljpa32.exe 40 PID 2912 wrote to memory of 2044 2912 Nfljpa32.exe 40 PID 2912 wrote to memory of 2044 2912 Nfljpa32.exe 40 PID 2044 wrote to memory of 548 2044 Nfogeamk.exe 41 PID 2044 wrote to memory of 548 2044 Nfogeamk.exe 41 PID 2044 wrote to memory of 548 2044 Nfogeamk.exe 41 PID 2044 wrote to memory of 548 2044 Nfogeamk.exe 41 PID 548 wrote to memory of 2020 548 Nhbpbi32.exe 42 PID 548 wrote to memory of 2020 548 Nhbpbi32.exe 42 PID 548 wrote to memory of 2020 548 Nhbpbi32.exe 42 PID 548 wrote to memory of 2020 548 Nhbpbi32.exe 42 PID 2020 wrote to memory of 2384 2020 Okhboc32.exe 43 PID 2020 wrote to memory of 2384 2020 Okhboc32.exe 43 PID 2020 wrote to memory of 2384 2020 Okhboc32.exe 43 PID 2020 wrote to memory of 2384 2020 Okhboc32.exe 43 PID 2384 wrote to memory of 2176 2384 Oaaklmao.exe 44 PID 2384 wrote to memory of 2176 2384 Oaaklmao.exe 44 PID 2384 wrote to memory of 2176 2384 Oaaklmao.exe 44 PID 2384 wrote to memory of 2176 2384 Oaaklmao.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe"C:\Users\Admin\AppData\Local\Temp\277ac58f7a25df003629e35caa8b1190c5e36745e0b29dbb4cd8a1b7a6fee356.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Lqdfmihh.exeC:\Windows\system32\Lqdfmihh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Lnhffm32.exeC:\Windows\system32\Lnhffm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lblhep32.exeC:\Windows\system32\Lblhep32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Mihngj32.exeC:\Windows\system32\Mihngj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mnhbep32.exeC:\Windows\system32\Mnhbep32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mfedobef.exeC:\Windows\system32\Mfedobef.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mheqie32.exeC:\Windows\system32\Mheqie32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Nfjnja32.exeC:\Windows\system32\Nfjnja32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Nfljpa32.exeC:\Windows\system32\Nfljpa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Nfogeamk.exeC:\Windows\system32\Nfogeamk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Bknani32.exeC:\Windows\system32\Bknani32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Cpjimk32.exeC:\Windows\system32\Cpjimk32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe34⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe35⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe36⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Doflofbf.exeC:\Windows\system32\Doflofbf.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe40⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe42⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe43⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe44⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Dgjdjghf.exeC:\Windows\system32\Dgjdjghf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Ehlqao32.exeC:\Windows\system32\Ehlqao32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Epchbm32.exeC:\Windows\system32\Epchbm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Eepakc32.exeC:\Windows\system32\Eepakc32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Eklicjkf.exeC:\Windows\system32\Eklicjkf.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Edenlp32.exeC:\Windows\system32\Edenlp32.exe53⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Ellfmm32.exeC:\Windows\system32\Ellfmm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Eojbii32.exeC:\Windows\system32\Eojbii32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Ekacnjfp.exeC:\Windows\system32\Ekacnjfp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Ehechn32.exeC:\Windows\system32\Ehechn32.exe59⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Enblpe32.exeC:\Windows\system32\Enblpe32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Fpphlp32.exeC:\Windows\system32\Fpphlp32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Fcodhl32.exeC:\Windows\system32\Fcodhl32.exe62⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Fjimefie.exeC:\Windows\system32\Fjimefie.exe63⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Fdnabo32.exeC:\Windows\system32\Fdnabo32.exe64⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Fgmmnj32.exeC:\Windows\system32\Fgmmnj32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Fjkije32.exeC:\Windows\system32\Fjkije32.exe66⤵
- Modifies registry class
PID:460 -
C:\Windows\SysWOW64\Fohacl32.exeC:\Windows\system32\Fohacl32.exe67⤵PID:1292
-
C:\Windows\SysWOW64\Fgojdj32.exeC:\Windows\system32\Fgojdj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Fjmfpe32.exeC:\Windows\system32\Fjmfpe32.exe69⤵PID:3004
-
C:\Windows\SysWOW64\Fmlblq32.exeC:\Windows\system32\Fmlblq32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Fcfjik32.exeC:\Windows\system32\Fcfjik32.exe71⤵PID:1920
-
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe72⤵PID:2168
-
C:\Windows\SysWOW64\Fmnoapba.exeC:\Windows\system32\Fmnoapba.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Fbkgjgqi.exeC:\Windows\system32\Fbkgjgqi.exe74⤵PID:2756
-
C:\Windows\SysWOW64\Fiepga32.exeC:\Windows\system32\Fiepga32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Goohckob.exeC:\Windows\system32\Goohckob.exe76⤵PID:2636
-
C:\Windows\SysWOW64\Ggjmhn32.exeC:\Windows\system32\Ggjmhn32.exe77⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Gkehhlef.exeC:\Windows\system32\Gkehhlef.exe78⤵PID:2804
-
C:\Windows\SysWOW64\Gqbaqccn.exeC:\Windows\system32\Gqbaqccn.exe79⤵PID:1792
-
C:\Windows\SysWOW64\Gglimm32.exeC:\Windows\system32\Gglimm32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Gkhenlcd.exeC:\Windows\system32\Gkhenlcd.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Gbbnkfjq.exeC:\Windows\system32\Gbbnkfjq.exe82⤵PID:2420
-
C:\Windows\SysWOW64\Gepjgaid.exeC:\Windows\system32\Gepjgaid.exe83⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Gccjbo32.exeC:\Windows\system32\Gccjbo32.exe84⤵PID:1980
-
C:\Windows\SysWOW64\Gjmbohhl.exeC:\Windows\system32\Gjmbohhl.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Gqgjlb32.exeC:\Windows\system32\Gqgjlb32.exe86⤵PID:2140
-
C:\Windows\SysWOW64\Gfdcdi32.exeC:\Windows\system32\Gfdcdi32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Gnkkeg32.exeC:\Windows\system32\Gnkkeg32.exe88⤵PID:2152
-
C:\Windows\SysWOW64\Gplgmodq.exeC:\Windows\system32\Gplgmodq.exe89⤵PID:3056
-
C:\Windows\SysWOW64\Hffpiikm.exeC:\Windows\system32\Hffpiikm.exe90⤵PID:2208
-
C:\Windows\SysWOW64\Hmphfc32.exeC:\Windows\system32\Hmphfc32.exe91⤵PID:1620
-
C:\Windows\SysWOW64\Hcjpcmjg.exeC:\Windows\system32\Hcjpcmjg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1044 -
C:\Windows\SysWOW64\Hpaaho32.exeC:\Windows\system32\Hpaaho32.exe93⤵PID:1608
-
C:\Windows\SysWOW64\Hcmmhmhd.exeC:\Windows\system32\Hcmmhmhd.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Henipenb.exeC:\Windows\system32\Henipenb.exe95⤵PID:2856
-
C:\Windows\SysWOW64\Hmeaaboe.exeC:\Windows\system32\Hmeaaboe.exe96⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Hbajjiml.exeC:\Windows\system32\Hbajjiml.exe97⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Hepffelp.exeC:\Windows\system32\Hepffelp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Hpejcnlf.exeC:\Windows\system32\Hpejcnlf.exe99⤵PID:1208
-
C:\Windows\SysWOW64\Ijokcl32.exeC:\Windows\system32\Ijokcl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Ibfcei32.exeC:\Windows\system32\Ibfcei32.exe101⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Ihclmp32.exeC:\Windows\system32\Ihclmp32.exe102⤵PID:1288
-
C:\Windows\SysWOW64\Ieglfd32.exeC:\Windows\system32\Ieglfd32.exe103⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ihehbpel.exeC:\Windows\system32\Ihehbpel.exe104⤵PID:2344
-
C:\Windows\SysWOW64\Iopqoi32.exeC:\Windows\system32\Iopqoi32.exe105⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ipqmgbbf.exeC:\Windows\system32\Ipqmgbbf.exe106⤵PID:1592
-
C:\Windows\SysWOW64\Ihhehoci.exeC:\Windows\system32\Ihhehoci.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Ifkecl32.exeC:\Windows\system32\Ifkecl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Iapjad32.exeC:\Windows\system32\Iapjad32.exe109⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Idofmp32.exeC:\Windows\system32\Idofmp32.exe110⤵PID:1884
-
C:\Windows\SysWOW64\Imgjfe32.exeC:\Windows\system32\Imgjfe32.exe111⤵PID:2940
-
C:\Windows\SysWOW64\Ipefba32.exeC:\Windows\system32\Ipefba32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Ibdcnm32.exeC:\Windows\system32\Ibdcnm32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Jmigke32.exeC:\Windows\system32\Jmigke32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Jokccnci.exeC:\Windows\system32\Jokccnci.exe115⤵PID:2504
-
C:\Windows\SysWOW64\Jgbkdkdk.exeC:\Windows\system32\Jgbkdkdk.exe116⤵PID:2204
-
C:\Windows\SysWOW64\Jlodma32.exeC:\Windows\system32\Jlodma32.exe117⤵PID:2976
-
C:\Windows\SysWOW64\Jompim32.exeC:\Windows\system32\Jompim32.exe118⤵PID:2104
-
C:\Windows\SysWOW64\Jaklei32.exeC:\Windows\system32\Jaklei32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Jibdff32.exeC:\Windows\system32\Jibdff32.exe120⤵PID:864
-
C:\Windows\SysWOW64\Jkdanngk.exeC:\Windows\system32\Jkdanngk.exe121⤵
- Drops file in System32 directory
PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-