Analysis
-
max time kernel
39s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe
-
Size
128KB
-
MD5
e62d4616565372cc5dc51fd80f807cce
-
SHA1
dda2eb07217e6d1859f231c20db7a8ab162ebc9c
-
SHA256
212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64
-
SHA512
a0dafad8eb0730f0837dd6cd7c318232dc3070ba3c5d74b5df2c90b48cf553cbbf0cc00700d7552bdf178d5ee497b5c6e60eda21b694cca13fd6c516573147e8
-
SSDEEP
3072:UnWnTOEb9/g/60EDk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/:UWTL9/g/vEDFtCApaH8m3QIvMWH5H
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piohgbng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhflcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klkfdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jecnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miocmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miapbpmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objmgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqiek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgecq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boobki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koibpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldfcpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkmdodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaholp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maldfbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpdeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkifkdjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egebjmdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elieipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieommdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifengpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glckihcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblola32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beogaenl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haemloni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmlniea.exe -
Executes dropped EXE 64 IoCs
pid Process 2252 Gmnngl32.exe 2728 Gieommdc.exe 2556 Glckihcg.exe 808 Ggiofa32.exe 848 Gncgbkki.exe 2348 Goddjc32.exe 1748 Genlgnhd.exe 1040 Hhmhcigh.exe 2756 Hpcpdfhj.exe 1236 Haemloni.exe 584 Hhoeii32.exe 2008 Hkmaed32.exe 2028 Hcdifa32.exe 1696 Hdefnjkj.exe 2212 Hkpnjd32.exe 2976 Hnnjfo32.exe 2100 Hajfgnjc.exe 992 Hdhbci32.exe 1088 Honfqb32.exe 1944 Hdjoii32.exe 1808 Hhfkihon.exe 1736 Hgiked32.exe 1704 Hnbcaome.exe 2984 Idmlniea.exe 1296 Icplje32.exe 2740 Ijidfpci.exe 2860 Iqcmcj32.exe 2640 Igmepdbc.exe 1096 Ingmmn32.exe 2596 Icdeee32.exe 1148 Ijnnao32.exe 2948 Iianmlfn.exe 1896 Iqhfnifq.exe 2708 Ibibfa32.exe 2120 Ifengpdh.exe 1444 Iomcpe32.exe 2344 Iblola32.exe 2012 Iejkhlip.exe 1920 Jkdcdf32.exe 1616 Jfjhbo32.exe 1424 Jgkdigfa.exe 1912 Jkfpjf32.exe 2180 Jbphgpfg.exe 1220 Jeoeclek.exe 1012 Jgmaog32.exe 3048 Jjlmkb32.exe 1932 Jngilalk.exe 2744 Jbcelp32.exe 2660 Jeaahk32.exe 2584 Jcdadhjb.exe 2672 Jgpndg32.exe 1472 Jjnjqb32.exe 2568 Jnifaajh.exe 2868 Jmlfmn32.exe 2960 Jecnnk32.exe 2808 Jcfoihhp.exe 2840 Jfekec32.exe 2812 Jnlbgq32.exe 2972 Jmocbnop.exe 2024 Jajocl32.exe 2064 Kgdgpfnf.exe 1644 Kjbclamj.exe 1496 Kmaphmln.exe 1900 Kppldhla.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe 2000 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe 2252 Gmnngl32.exe 2252 Gmnngl32.exe 2728 Gieommdc.exe 2728 Gieommdc.exe 2556 Glckihcg.exe 2556 Glckihcg.exe 808 Ggiofa32.exe 808 Ggiofa32.exe 848 Gncgbkki.exe 848 Gncgbkki.exe 2348 Goddjc32.exe 2348 Goddjc32.exe 1748 Genlgnhd.exe 1748 Genlgnhd.exe 1040 Hhmhcigh.exe 1040 Hhmhcigh.exe 2756 Hpcpdfhj.exe 2756 Hpcpdfhj.exe 1236 Haemloni.exe 1236 Haemloni.exe 584 Hhoeii32.exe 584 Hhoeii32.exe 2008 Hkmaed32.exe 2008 Hkmaed32.exe 2028 Hcdifa32.exe 2028 Hcdifa32.exe 1696 Hdefnjkj.exe 1696 Hdefnjkj.exe 2212 Hkpnjd32.exe 2212 Hkpnjd32.exe 2976 Hnnjfo32.exe 2976 Hnnjfo32.exe 2100 Hajfgnjc.exe 2100 Hajfgnjc.exe 992 Hdhbci32.exe 992 Hdhbci32.exe 1088 Honfqb32.exe 1088 Honfqb32.exe 1944 Hdjoii32.exe 1944 Hdjoii32.exe 1808 Hhfkihon.exe 1808 Hhfkihon.exe 1736 Hgiked32.exe 1736 Hgiked32.exe 1704 Hnbcaome.exe 1704 Hnbcaome.exe 2984 Idmlniea.exe 2984 Idmlniea.exe 1296 Icplje32.exe 1296 Icplje32.exe 2740 Ijidfpci.exe 2740 Ijidfpci.exe 2860 Iqcmcj32.exe 2860 Iqcmcj32.exe 2640 Igmepdbc.exe 2640 Igmepdbc.exe 1096 Ingmmn32.exe 1096 Ingmmn32.exe 2596 Icdeee32.exe 2596 Icdeee32.exe 1148 Ijnnao32.exe 1148 Ijnnao32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ebockkal.exe Epqgopbi.exe File created C:\Windows\SysWOW64\Kgdgpfnf.exe Jajocl32.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Plbmom32.exe File created C:\Windows\SysWOW64\Ipoidefp.dll Cppobaeb.exe File opened for modification C:\Windows\SysWOW64\Bkcfjk32.exe Bhdjno32.exe File opened for modification C:\Windows\SysWOW64\Kjbclamj.exe Kgdgpfnf.exe File opened for modification C:\Windows\SysWOW64\Pidaba32.exe Pfeeff32.exe File created C:\Windows\SysWOW64\Bceeqi32.exe Bojipjcj.exe File opened for modification C:\Windows\SysWOW64\Anhpkg32.exe Ajldkhjh.exe File created C:\Windows\SysWOW64\Mdojnm32.exe Maanab32.exe File created C:\Windows\SysWOW64\Nnodgbed.exe Ngeljh32.exe File opened for modification C:\Windows\SysWOW64\Onamle32.exe Okbapi32.exe File created C:\Windows\SysWOW64\Njecbced.dll Hgiked32.exe File created C:\Windows\SysWOW64\Kpbhjh32.exe Kmclmm32.exe File created C:\Windows\SysWOW64\Ogdhik32.exe Oqkpmaif.exe File created C:\Windows\SysWOW64\Befnbd32.exe Bakaaepk.exe File created C:\Windows\SysWOW64\Ifhfbgmj.dll Cgqmpkfg.exe File opened for modification C:\Windows\SysWOW64\Hnnjfo32.exe Hkpnjd32.exe File opened for modification C:\Windows\SysWOW64\Nbqjqehd.exe Nobndj32.exe File created C:\Windows\SysWOW64\Cidcinlc.dll Ajjgei32.exe File created C:\Windows\SysWOW64\Mokkegmm.exe Miocmq32.exe File created C:\Windows\SysWOW64\Objmgd32.exe Ojceef32.exe File created C:\Windows\SysWOW64\Gchhdfem.dll Qemomb32.exe File opened for modification C:\Windows\SysWOW64\Egpena32.exe Einebddd.exe File created C:\Windows\SysWOW64\Jgmaog32.exe Jeoeclek.exe File opened for modification C:\Windows\SysWOW64\Kjepaa32.exe Kbnhpdke.exe File created C:\Windows\SysWOW64\Fdffdghm.dll Maanab32.exe File opened for modification C:\Windows\SysWOW64\Fnjnkkbk.exe Fpgnoo32.exe File created C:\Windows\SysWOW64\Nkilelaf.dll Kaholp32.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cjmmffgn.exe File created C:\Windows\SysWOW64\Bafmhm32.dll Djafaf32.exe File created C:\Windows\SysWOW64\Lcfejhma.dll Koibpd32.exe File created C:\Windows\SysWOW64\Bfdbgnmd.dll Ngeljh32.exe File created C:\Windows\SysWOW64\Ipbolili.dll Pjlgle32.exe File created C:\Windows\SysWOW64\Hnnjfo32.exe Hkpnjd32.exe File created C:\Windows\SysWOW64\Blkmdodf.exe Bimphc32.exe File created C:\Windows\SysWOW64\Akpcdopi.dll Blkmdodf.exe File created C:\Windows\SysWOW64\Mffdnf32.dll Jeoeclek.exe File opened for modification C:\Windows\SysWOW64\Jecnnk32.exe Jmlfmn32.exe File created C:\Windows\SysWOW64\Bbmcpemo.dll Macjgadf.exe File created C:\Windows\SysWOW64\Ckinbali.dll Ccqhdmbc.exe File created C:\Windows\SysWOW64\Eiilge32.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Bflpbe32.dll Ppdfimji.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Anhpkg32.exe File created C:\Windows\SysWOW64\Bkcfjk32.exe Bhdjno32.exe File created C:\Windows\SysWOW64\Jailfk32.dll Jecnnk32.exe File created C:\Windows\SysWOW64\Igooceih.dll Qaofgc32.exe File opened for modification C:\Windows\SysWOW64\Nnodgbed.exe Ngeljh32.exe File created C:\Windows\SysWOW64\Dfaakfpk.dll Ofaolcmh.exe File opened for modification C:\Windows\SysWOW64\Befnbd32.exe Bakaaepk.exe File created C:\Windows\SysWOW64\Cpcpnokb.dll Iqcmcj32.exe File created C:\Windows\SysWOW64\Amoaeb32.dll Jjlmkb32.exe File opened for modification C:\Windows\SysWOW64\Mcidkf32.exe Mlolnllf.exe File created C:\Windows\SysWOW64\Eciljg32.dll Jnifaajh.exe File created C:\Windows\SysWOW64\Cdeffdbl.dll Oqojhp32.exe File opened for modification C:\Windows\SysWOW64\Ppgcol32.exe Pmhgba32.exe File opened for modification C:\Windows\SysWOW64\Qbobaf32.exe Qjgjpi32.exe File created C:\Windows\SysWOW64\Afeaei32.exe Adgein32.exe File created C:\Windows\SysWOW64\Bbgclj32.dll Igmepdbc.exe File created C:\Windows\SysWOW64\Keango32.exe Kfnnlboi.exe File created C:\Windows\SysWOW64\Oqojhp32.exe Onamle32.exe File opened for modification C:\Windows\SysWOW64\Cppobaeb.exe Camnge32.exe File created C:\Windows\SysWOW64\Cdpdnpif.exe Cpdhna32.exe File opened for modification C:\Windows\SysWOW64\Hnbcaome.exe Hgiked32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4084 3632 WerFault.exe 321 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklopg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goddjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhndnpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcemnopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maanab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbcaome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onldqejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgcol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcpdfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfekec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafhff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklepmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpnoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boobki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfoihhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beogaenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmmffgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfchqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaphmln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbclamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdhik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahimb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malbbh32.dll" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algllb32.dll" Hpcpdfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfekec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmmpgoa.dll" Jkfpjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lldpji32.dll" Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafick32.dll" Nobndj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnqjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiajn32.dll" Jbcelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljflhj.dll" Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgpndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll" Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Ejfllhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmocbnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfjkphjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbcaome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgcol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaphmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neajod32.dll" Mecglbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjifgcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdeee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckefai.dll" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnlnmnm.dll" Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deafohkc.dll" Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcmmc32.dll" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlbn32.dll" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggiofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajldkhjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqddmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjcfm32.dll" Objmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll" Cgqmpkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhflcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caokmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Eiilge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmeebpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajjg32.dll" Aahimb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccboal32.dll" Ggiofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbqjqehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbifkd.dll" Hhoeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomcpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiofnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll" Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgcbgmg.dll" Hhmhcigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbmom32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2252 2000 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe 30 PID 2000 wrote to memory of 2252 2000 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe 30 PID 2000 wrote to memory of 2252 2000 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe 30 PID 2000 wrote to memory of 2252 2000 212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe 30 PID 2252 wrote to memory of 2728 2252 Gmnngl32.exe 31 PID 2252 wrote to memory of 2728 2252 Gmnngl32.exe 31 PID 2252 wrote to memory of 2728 2252 Gmnngl32.exe 31 PID 2252 wrote to memory of 2728 2252 Gmnngl32.exe 31 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2556 wrote to memory of 808 2556 Glckihcg.exe 33 PID 2556 wrote to memory of 808 2556 Glckihcg.exe 33 PID 2556 wrote to memory of 808 2556 Glckihcg.exe 33 PID 2556 wrote to memory of 808 2556 Glckihcg.exe 33 PID 808 wrote to memory of 848 808 Ggiofa32.exe 34 PID 808 wrote to memory of 848 808 Ggiofa32.exe 34 PID 808 wrote to memory of 848 808 Ggiofa32.exe 34 PID 808 wrote to memory of 848 808 Ggiofa32.exe 34 PID 848 wrote to memory of 2348 848 Gncgbkki.exe 35 PID 848 wrote to memory of 2348 848 Gncgbkki.exe 35 PID 848 wrote to memory of 2348 848 Gncgbkki.exe 35 PID 848 wrote to memory of 2348 848 Gncgbkki.exe 35 PID 2348 wrote to memory of 1748 2348 Goddjc32.exe 36 PID 2348 wrote to memory of 1748 2348 Goddjc32.exe 36 PID 2348 wrote to memory of 1748 2348 Goddjc32.exe 36 PID 2348 wrote to memory of 1748 2348 Goddjc32.exe 36 PID 1748 wrote to memory of 1040 1748 Genlgnhd.exe 37 PID 1748 wrote to memory of 1040 1748 Genlgnhd.exe 37 PID 1748 wrote to memory of 1040 1748 Genlgnhd.exe 37 PID 1748 wrote to memory of 1040 1748 Genlgnhd.exe 37 PID 1040 wrote to memory of 2756 1040 Hhmhcigh.exe 38 PID 1040 wrote to memory of 2756 1040 Hhmhcigh.exe 38 PID 1040 wrote to memory of 2756 1040 Hhmhcigh.exe 38 PID 1040 wrote to memory of 2756 1040 Hhmhcigh.exe 38 PID 2756 wrote to memory of 1236 2756 Hpcpdfhj.exe 39 PID 2756 wrote to memory of 1236 2756 Hpcpdfhj.exe 39 PID 2756 wrote to memory of 1236 2756 Hpcpdfhj.exe 39 PID 2756 wrote to memory of 1236 2756 Hpcpdfhj.exe 39 PID 1236 wrote to memory of 584 1236 Haemloni.exe 40 PID 1236 wrote to memory of 584 1236 Haemloni.exe 40 PID 1236 wrote to memory of 584 1236 Haemloni.exe 40 PID 1236 wrote to memory of 584 1236 Haemloni.exe 40 PID 584 wrote to memory of 2008 584 Hhoeii32.exe 41 PID 584 wrote to memory of 2008 584 Hhoeii32.exe 41 PID 584 wrote to memory of 2008 584 Hhoeii32.exe 41 PID 584 wrote to memory of 2008 584 Hhoeii32.exe 41 PID 2008 wrote to memory of 2028 2008 Hkmaed32.exe 42 PID 2008 wrote to memory of 2028 2008 Hkmaed32.exe 42 PID 2008 wrote to memory of 2028 2008 Hkmaed32.exe 42 PID 2008 wrote to memory of 2028 2008 Hkmaed32.exe 42 PID 2028 wrote to memory of 1696 2028 Hcdifa32.exe 43 PID 2028 wrote to memory of 1696 2028 Hcdifa32.exe 43 PID 2028 wrote to memory of 1696 2028 Hcdifa32.exe 43 PID 2028 wrote to memory of 1696 2028 Hcdifa32.exe 43 PID 1696 wrote to memory of 2212 1696 Hdefnjkj.exe 44 PID 1696 wrote to memory of 2212 1696 Hdefnjkj.exe 44 PID 1696 wrote to memory of 2212 1696 Hdefnjkj.exe 44 PID 1696 wrote to memory of 2212 1696 Hdefnjkj.exe 44 PID 2212 wrote to memory of 2976 2212 Hkpnjd32.exe 45 PID 2212 wrote to memory of 2976 2212 Hkpnjd32.exe 45 PID 2212 wrote to memory of 2976 2212 Hkpnjd32.exe 45 PID 2212 wrote to memory of 2976 2212 Hkpnjd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe"C:\Users\Admin\AppData\Local\Temp\212d3ef6fed6e7f7a75c3050cf06f4e83f9d1c6090fc30f691ad097cfab0fe64.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Goddjc32.exeC:\Windows\system32\Goddjc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe33⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe35⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe39⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe40⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe41⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe42⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe44⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jeoeclek.exeC:\Windows\system32\Jeoeclek.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe46⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe48⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe50⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe51⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe59⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe66⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe67⤵PID:2444
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe69⤵PID:1000
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe71⤵PID:1732
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe74⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe75⤵PID:2712
-
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe79⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe81⤵PID:2988
-
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe82⤵PID:2632
-
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe83⤵PID:2156
-
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe84⤵PID:2636
-
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe85⤵PID:1076
-
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe87⤵PID:3016
-
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe89⤵PID:2332
-
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe90⤵PID:764
-
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe93⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe95⤵PID:2292
-
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe97⤵PID:804
-
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe98⤵PID:664
-
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe100⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe102⤵PID:2308
-
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe103⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe105⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe106⤵PID:2060
-
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Mkdioh32.exeC:\Windows\system32\Mkdioh32.exe109⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe110⤵PID:3024
-
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe112⤵PID:2816
-
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe113⤵PID:2720
-
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe114⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe116⤵PID:1560
-
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe117⤵PID:1276
-
C:\Windows\SysWOW64\Mnhnfckm.exeC:\Windows\system32\Mnhnfckm.exe118⤵PID:2484
-
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe120⤵PID:2500
-
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-