Analysis
-
max time kernel
143s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe
-
Size
406KB
-
MD5
8fc786b89848a1b3c9204d1fd84cc1dc
-
SHA1
f696750570ab8d76d36d2600493db052a6a47151
-
SHA256
73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc
-
SHA512
7c9b3740792492a77f0aa823d5d64b5c493f65402f31387d4a75056224a8a09e50560a7f554c569f006b5729b9a0a53d809bb20d615d60b8e05f5203ad6b2344
-
SSDEEP
6144:K3aYlEz1U5U5Xj1XH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:EVlEmMp3Ma3M3MvD3Mq3B3Mo3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdmao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingcfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqdad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbgfkeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciigjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfepamo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhopblhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgchlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oebmnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqemcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkngdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngcjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiamal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicccfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdmgomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjoanmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlahfgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfcgofh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhmffin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdbkqai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjmpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclleiah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdikkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbgclfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfladgdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clappaon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfbkhbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmiddod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjdnggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcgjpmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcllpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbghck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciflkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnehhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfphljcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbobhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhpfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majlod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnbmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boccmpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbegj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqobcio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcagjgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnjlec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafqap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badpoggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeeicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egoopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfihjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpnoi32.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Chhnljmn.exe 2372 Dkfjhela.exe 2916 Dobfhd32.exe 2824 Deloen32.exe 2756 Dkigme32.exe 2732 Dngcjp32.exe 2308 Dhmggi32.exe 2664 Djndoaof.exe 2144 Emhpfk32.exe 2252 Egaqgi32.exe 1276 Eiamal32.exe 2332 Fnbodbaq.exe 2944 Fgkcmg32.exe 1708 Fiomjp32.exe 2604 Geemoqaq.exe 1348 Gaokjaeb.exe 928 Ghkplk32.exe 2156 Hfbicg32.exe 796 Hjneceek.exe 2928 Hdigakji.exe 308 Hfgcnfil.exe 1436 Hpogglpm.exe 1120 Hfipcf32.exe 1048 Helpocnd.exe 2352 Hijhea32.exe 1576 Iogamhbb.exe 2816 Ieaijb32.exe 2848 Ikbkmhda.exe 1704 Ipapko32.exe 2632 Jcpmgj32.exe 3024 Jpdmao32.exe 1488 Jhaokqik.exe 2164 Jkpkglho.exe 2224 Joncmj32.exe 2984 Jdkleamm.exe 344 Kdmikakj.exe 2504 Kgkegljn.exe 2288 Kjjachia.exe 1080 Kbaidejd.exe 1992 Kqhckami.exe 1876 Kcgogm32.exe 1916 Kjqgdgcj.exe 2416 Kmocpbbm.exe 1936 Kcilml32.exe 1760 Lfghih32.exe 1984 Lifdec32.exe 3012 Lkdqao32.exe 3028 Lfjdnggk.exe 1440 Lmdmka32.exe 2312 Lneibjdf.exe 2744 Lfladgdh.exe 2772 Liknpbdl.exe 3016 Lpdfmm32.exe 2836 Lbcbih32.exe 2388 Lgpjaohd.exe 1720 Ljngmjhh.exe 2808 Lahojd32.exe 2624 Lgbgfofa.exe 1480 Majlod32.exe 2708 Mfgdhkki.exe 380 Mnnlihll.exe 1624 Mamhedko.exe 980 Mckdaojc.exe 1380 Mjemni32.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe 1724 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe 1996 Chhnljmn.exe 1996 Chhnljmn.exe 2372 Dkfjhela.exe 2372 Dkfjhela.exe 2916 Dobfhd32.exe 2916 Dobfhd32.exe 2824 Deloen32.exe 2824 Deloen32.exe 2756 Dkigme32.exe 2756 Dkigme32.exe 2732 Dngcjp32.exe 2732 Dngcjp32.exe 2308 Dhmggi32.exe 2308 Dhmggi32.exe 2664 Djndoaof.exe 2664 Djndoaof.exe 2144 Emhpfk32.exe 2144 Emhpfk32.exe 2252 Egaqgi32.exe 2252 Egaqgi32.exe 1276 Eiamal32.exe 1276 Eiamal32.exe 2332 Fnbodbaq.exe 2332 Fnbodbaq.exe 2944 Fgkcmg32.exe 2944 Fgkcmg32.exe 1708 Fiomjp32.exe 1708 Fiomjp32.exe 2604 Geemoqaq.exe 2604 Geemoqaq.exe 1348 Gaokjaeb.exe 1348 Gaokjaeb.exe 928 Ghkplk32.exe 928 Ghkplk32.exe 2156 Hfbicg32.exe 2156 Hfbicg32.exe 796 Hjneceek.exe 796 Hjneceek.exe 2928 Hdigakji.exe 2928 Hdigakji.exe 308 Hfgcnfil.exe 308 Hfgcnfil.exe 1436 Hpogglpm.exe 1436 Hpogglpm.exe 1120 Hfipcf32.exe 1120 Hfipcf32.exe 1048 Helpocnd.exe 1048 Helpocnd.exe 2352 Hijhea32.exe 2352 Hijhea32.exe 1576 Iogamhbb.exe 1576 Iogamhbb.exe 2816 Ieaijb32.exe 2816 Ieaijb32.exe 2848 Ikbkmhda.exe 2848 Ikbkmhda.exe 1704 Ipapko32.exe 1704 Ipapko32.exe 2632 Jcpmgj32.exe 2632 Jcpmgj32.exe 3024 Jpdmao32.exe 3024 Jpdmao32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mcoaddee.dll Bkeiim32.exe File opened for modification C:\Windows\SysWOW64\Gcmbdo32.exe Gnpjlhjg.exe File opened for modification C:\Windows\SysWOW64\Kljecejk.exe Khoibf32.exe File opened for modification C:\Windows\SysWOW64\Ahhjamop.exe Ackaifph.exe File created C:\Windows\SysWOW64\Lgfkba32.dll Pgblap32.exe File created C:\Windows\SysWOW64\Cinfgdpm.dll Mbnpknef.exe File opened for modification C:\Windows\SysWOW64\Cmmegnaj.exe Cefmfq32.exe File opened for modification C:\Windows\SysWOW64\Dfpldgnk.exe Dacdlqpc.exe File created C:\Windows\SysWOW64\Jigcmgma.exe Jbmkpm32.exe File opened for modification C:\Windows\SysWOW64\Bbgdkb32.exe Bknlnhgk.exe File opened for modification C:\Windows\SysWOW64\Dhmggi32.exe Dngcjp32.exe File created C:\Windows\SysWOW64\Ipibhcml.dll Oagqmeqp.exe File created C:\Windows\SysWOW64\Ikcbmcgm.dll Cpfepamo.exe File created C:\Windows\SysWOW64\Ckioiojo.dll Gcdcqacf.exe File created C:\Windows\SysWOW64\Kaloenob.dll Nmfdgq32.exe File created C:\Windows\SysWOW64\Fpnmnfkp.dll Epgdha32.exe File created C:\Windows\SysWOW64\Pcimfalg.exe Pjahnk32.exe File opened for modification C:\Windows\SysWOW64\Oiikbf32.exe Okfkgiah.exe File created C:\Windows\SysWOW64\Ojdehp32.dll Gifedg32.exe File opened for modification C:\Windows\SysWOW64\Gkpjnl32.exe Glmjboak.exe File created C:\Windows\SysWOW64\Mamhedko.exe Mnnlihll.exe File opened for modification C:\Windows\SysWOW64\Cfcalafd.exe Cebedipf.exe File created C:\Windows\SysWOW64\Iojhlkji.dll Ffkpin32.exe File opened for modification C:\Windows\SysWOW64\Aqlcdb32.exe Annfhg32.exe File opened for modification C:\Windows\SysWOW64\Gialihan.exe Gcdcqacf.exe File opened for modification C:\Windows\SysWOW64\Pghheh32.exe Pclleiah.exe File created C:\Windows\SysWOW64\Qglheknk.dll Fpdmgomj.exe File opened for modification C:\Windows\SysWOW64\Nekmjeda.exe Nmceihco.exe File created C:\Windows\SysWOW64\Qjhonjoo.exe Pcnfap32.exe File opened for modification C:\Windows\SysWOW64\Ohaijo32.exe Oebmnc32.exe File created C:\Windows\SysWOW64\Dmjfcj32.dll Ihgnpe32.exe File created C:\Windows\SysWOW64\Cjopeifa.exe Cllojl32.exe File created C:\Windows\SysWOW64\Gdabbahf.dll Mhelbine.exe File created C:\Windows\SysWOW64\Ljngmjhh.exe Lgpjaohd.exe File created C:\Windows\SysWOW64\Bifgkn32.dll Nekmjeda.exe File created C:\Windows\SysWOW64\Ikmomeke.dll Oopalo32.exe File created C:\Windows\SysWOW64\Kdbdoini.exe Knhlbo32.exe File opened for modification C:\Windows\SysWOW64\Bmnpba32.exe Bibcbbjq.exe File created C:\Windows\SysWOW64\Ccbdiiml.exe Cofhhj32.exe File created C:\Windows\SysWOW64\Kancmh32.dll Apkhgk32.exe File created C:\Windows\SysWOW64\Ldgjje32.dll Fcnohkqb.exe File created C:\Windows\SysWOW64\Qmfkjfnb.exe Qjhonjoo.exe File opened for modification C:\Windows\SysWOW64\Kjgncagi.exe Kghagf32.exe File created C:\Windows\SysWOW64\Fnnhbkmj.exe Fgdpea32.exe File created C:\Windows\SysWOW64\Hmhend32.dll Mlleijkm.exe File created C:\Windows\SysWOW64\Bfdgfgkm.exe Bcekjkli.exe File created C:\Windows\SysWOW64\Fphbbgjc.dll Eegmgd32.exe File created C:\Windows\SysWOW64\Kmipek32.dll Dafecnjh.exe File created C:\Windows\SysWOW64\Objcpf32.exe Oiaogajo.exe File created C:\Windows\SysWOW64\Bpndin32.dll Cmphgdcb.exe File opened for modification C:\Windows\SysWOW64\Foonom32.exe Flqacb32.exe File opened for modification C:\Windows\SysWOW64\Hpogglpm.exe Hfgcnfil.exe File created C:\Windows\SysWOW64\Dmpdfi32.dll Cnblbiic.exe File created C:\Windows\SysWOW64\Dkgmqn32.exe Dldlealk.exe File opened for modification C:\Windows\SysWOW64\Fnfgfi32.exe Fhjonbcj.exe File created C:\Windows\SysWOW64\Gchiipld.exe Gnkqainl.exe File created C:\Windows\SysWOW64\Gpaepgno.dll Khafhf32.exe File created C:\Windows\SysWOW64\Iaeihfen.exe Imimgg32.exe File opened for modification C:\Windows\SysWOW64\Lifdec32.exe Lfghih32.exe File created C:\Windows\SysWOW64\Fdikgc32.dll Bblbho32.exe File opened for modification C:\Windows\SysWOW64\Iijknjlo.exe Iflobnlk.exe File opened for modification C:\Windows\SysWOW64\Bbmeqgoo.exe Bcjdek32.exe File created C:\Windows\SysWOW64\Begagoon.dll Dpekdnln.exe File opened for modification C:\Windows\SysWOW64\Epegcanj.exe Eikofg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2240 1932 WerFault.exe 1042 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiohiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpijggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmdkpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmleljmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjmpepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgncagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobcfklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjfooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbngkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfcgofh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobgiien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjhahbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnaljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohifedep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjopeifa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhhnbjld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmledda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdjbbcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlfjdeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhmffin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qejafomq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaidbha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblbho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ednfnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaoogn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpimqdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bifkding.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggccaemi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joncmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhcmaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifdec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfcgech.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjimgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmocpbbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmhogkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibejf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjefeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqqboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjhkkbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Namedgnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmceihco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbgqaff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enaocnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagdna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmcgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiphagch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaiml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meakdgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gialihan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhnmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkokmgg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfbendg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbmjgko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnpjlhjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfqcfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majigf32.dll" Demcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpeike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflgjp32.dll" Iabjim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbihhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkcbhhj.dll" Fjjbblni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhnmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqgpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmegmdoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbljedmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npikgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkfnnff.dll" Gboqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcoblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbgfkeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbfog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpcenddg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emonlaab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndkapbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgakfgom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjjkiin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdodpk32.dll" Lbagladc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenqakea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlopmfd.dll" Pbdojdde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggccaemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhnc32.dll" Cfeggkpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imajbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmnpba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlpijggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpfjqlc.dll" Hijhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjkef32.dll" Pcnfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapmdnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfijcdek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddanoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkflmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jemciflo.dll" Ilkdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfphljcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbecoeg.dll" Opfdfmka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeholb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedldjmb.dll" Cnceeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fliqgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nannaa32.dll" Pacgcijn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiqcc32.dll" Ecenlddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjpejeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkaeppn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanpnndb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqgonpmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmepjid.dll" Hfphljcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcimfalg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkidkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imaonn32.dll" Aijdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldpdhmcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcoblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjbnie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcagnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbphfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmhin32.dll" Niehal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qejafomq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1996 1724 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe 29 PID 1724 wrote to memory of 1996 1724 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe 29 PID 1724 wrote to memory of 1996 1724 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe 29 PID 1724 wrote to memory of 1996 1724 73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe 29 PID 1996 wrote to memory of 2372 1996 Chhnljmn.exe 30 PID 1996 wrote to memory of 2372 1996 Chhnljmn.exe 30 PID 1996 wrote to memory of 2372 1996 Chhnljmn.exe 30 PID 1996 wrote to memory of 2372 1996 Chhnljmn.exe 30 PID 2372 wrote to memory of 2916 2372 Dkfjhela.exe 31 PID 2372 wrote to memory of 2916 2372 Dkfjhela.exe 31 PID 2372 wrote to memory of 2916 2372 Dkfjhela.exe 31 PID 2372 wrote to memory of 2916 2372 Dkfjhela.exe 31 PID 2916 wrote to memory of 2824 2916 Dobfhd32.exe 32 PID 2916 wrote to memory of 2824 2916 Dobfhd32.exe 32 PID 2916 wrote to memory of 2824 2916 Dobfhd32.exe 32 PID 2916 wrote to memory of 2824 2916 Dobfhd32.exe 32 PID 2824 wrote to memory of 2756 2824 Deloen32.exe 33 PID 2824 wrote to memory of 2756 2824 Deloen32.exe 33 PID 2824 wrote to memory of 2756 2824 Deloen32.exe 33 PID 2824 wrote to memory of 2756 2824 Deloen32.exe 33 PID 2756 wrote to memory of 2732 2756 Dkigme32.exe 34 PID 2756 wrote to memory of 2732 2756 Dkigme32.exe 34 PID 2756 wrote to memory of 2732 2756 Dkigme32.exe 34 PID 2756 wrote to memory of 2732 2756 Dkigme32.exe 34 PID 2732 wrote to memory of 2308 2732 Dngcjp32.exe 35 PID 2732 wrote to memory of 2308 2732 Dngcjp32.exe 35 PID 2732 wrote to memory of 2308 2732 Dngcjp32.exe 35 PID 2732 wrote to memory of 2308 2732 Dngcjp32.exe 35 PID 2308 wrote to memory of 2664 2308 Dhmggi32.exe 36 PID 2308 wrote to memory of 2664 2308 Dhmggi32.exe 36 PID 2308 wrote to memory of 2664 2308 Dhmggi32.exe 36 PID 2308 wrote to memory of 2664 2308 Dhmggi32.exe 36 PID 2664 wrote to memory of 2144 2664 Djndoaof.exe 37 PID 2664 wrote to memory of 2144 2664 Djndoaof.exe 37 PID 2664 wrote to memory of 2144 2664 Djndoaof.exe 37 PID 2664 wrote to memory of 2144 2664 Djndoaof.exe 37 PID 2144 wrote to memory of 2252 2144 Emhpfk32.exe 38 PID 2144 wrote to memory of 2252 2144 Emhpfk32.exe 38 PID 2144 wrote to memory of 2252 2144 Emhpfk32.exe 38 PID 2144 wrote to memory of 2252 2144 Emhpfk32.exe 38 PID 2252 wrote to memory of 1276 2252 Egaqgi32.exe 39 PID 2252 wrote to memory of 1276 2252 Egaqgi32.exe 39 PID 2252 wrote to memory of 1276 2252 Egaqgi32.exe 39 PID 2252 wrote to memory of 1276 2252 Egaqgi32.exe 39 PID 1276 wrote to memory of 2332 1276 Eiamal32.exe 40 PID 1276 wrote to memory of 2332 1276 Eiamal32.exe 40 PID 1276 wrote to memory of 2332 1276 Eiamal32.exe 40 PID 1276 wrote to memory of 2332 1276 Eiamal32.exe 40 PID 2332 wrote to memory of 2944 2332 Fnbodbaq.exe 41 PID 2332 wrote to memory of 2944 2332 Fnbodbaq.exe 41 PID 2332 wrote to memory of 2944 2332 Fnbodbaq.exe 41 PID 2332 wrote to memory of 2944 2332 Fnbodbaq.exe 41 PID 2944 wrote to memory of 1708 2944 Fgkcmg32.exe 42 PID 2944 wrote to memory of 1708 2944 Fgkcmg32.exe 42 PID 2944 wrote to memory of 1708 2944 Fgkcmg32.exe 42 PID 2944 wrote to memory of 1708 2944 Fgkcmg32.exe 42 PID 1708 wrote to memory of 2604 1708 Fiomjp32.exe 43 PID 1708 wrote to memory of 2604 1708 Fiomjp32.exe 43 PID 1708 wrote to memory of 2604 1708 Fiomjp32.exe 43 PID 1708 wrote to memory of 2604 1708 Fiomjp32.exe 43 PID 2604 wrote to memory of 1348 2604 Geemoqaq.exe 44 PID 2604 wrote to memory of 1348 2604 Geemoqaq.exe 44 PID 2604 wrote to memory of 1348 2604 Geemoqaq.exe 44 PID 2604 wrote to memory of 1348 2604 Geemoqaq.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe"C:\Users\Admin\AppData\Local\Temp\73e109e6ef49d7ba284c8070c3a17a9778a96617eaa03604934380fedc6eb5cc.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Chhnljmn.exeC:\Windows\system32\Chhnljmn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Dkfjhela.exeC:\Windows\system32\Dkfjhela.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Dobfhd32.exeC:\Windows\system32\Dobfhd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Deloen32.exeC:\Windows\system32\Deloen32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Dkigme32.exeC:\Windows\system32\Dkigme32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dngcjp32.exeC:\Windows\system32\Dngcjp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dhmggi32.exeC:\Windows\system32\Dhmggi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Djndoaof.exeC:\Windows\system32\Djndoaof.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Emhpfk32.exeC:\Windows\system32\Emhpfk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Egaqgi32.exeC:\Windows\system32\Egaqgi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Eiamal32.exeC:\Windows\system32\Eiamal32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Fnbodbaq.exeC:\Windows\system32\Fnbodbaq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Fgkcmg32.exeC:\Windows\system32\Fgkcmg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Fiomjp32.exeC:\Windows\system32\Fiomjp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Geemoqaq.exeC:\Windows\system32\Geemoqaq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gaokjaeb.exeC:\Windows\system32\Gaokjaeb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Ghkplk32.exeC:\Windows\system32\Ghkplk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Hfbicg32.exeC:\Windows\system32\Hfbicg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Hjneceek.exeC:\Windows\system32\Hjneceek.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Hdigakji.exeC:\Windows\system32\Hdigakji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Hfgcnfil.exeC:\Windows\system32\Hfgcnfil.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Hpogglpm.exeC:\Windows\system32\Hpogglpm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Hfipcf32.exeC:\Windows\system32\Hfipcf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Helpocnd.exeC:\Windows\system32\Helpocnd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Hijhea32.exeC:\Windows\system32\Hijhea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Iogamhbb.exeC:\Windows\system32\Iogamhbb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Ieaijb32.exeC:\Windows\system32\Ieaijb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Ikbkmhda.exeC:\Windows\system32\Ikbkmhda.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Ipapko32.exeC:\Windows\system32\Ipapko32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Jcpmgj32.exeC:\Windows\system32\Jcpmgj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Jpdmao32.exeC:\Windows\system32\Jpdmao32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Jhaokqik.exeC:\Windows\system32\Jhaokqik.exe33⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jkpkglho.exeC:\Windows\system32\Jkpkglho.exe34⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Joncmj32.exeC:\Windows\system32\Joncmj32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Jdkleamm.exeC:\Windows\system32\Jdkleamm.exe36⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Kdmikakj.exeC:\Windows\system32\Kdmikakj.exe37⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Kgkegljn.exeC:\Windows\system32\Kgkegljn.exe38⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Kjjachia.exeC:\Windows\system32\Kjjachia.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kbaidejd.exeC:\Windows\system32\Kbaidejd.exe40⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Kqhckami.exeC:\Windows\system32\Kqhckami.exe41⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Kcgogm32.exeC:\Windows\system32\Kcgogm32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Kjqgdgcj.exeC:\Windows\system32\Kjqgdgcj.exe43⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Kmocpbbm.exeC:\Windows\system32\Kmocpbbm.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Kcilml32.exeC:\Windows\system32\Kcilml32.exe45⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Lfghih32.exeC:\Windows\system32\Lfghih32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Lifdec32.exeC:\Windows\system32\Lifdec32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Lkdqao32.exeC:\Windows\system32\Lkdqao32.exe48⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Lfjdnggk.exeC:\Windows\system32\Lfjdnggk.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Lmdmka32.exeC:\Windows\system32\Lmdmka32.exe50⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Lneibjdf.exeC:\Windows\system32\Lneibjdf.exe51⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Lfladgdh.exeC:\Windows\system32\Lfladgdh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Liknpbdl.exeC:\Windows\system32\Liknpbdl.exe53⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Lpdfmm32.exeC:\Windows\system32\Lpdfmm32.exe54⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Lbcbih32.exeC:\Windows\system32\Lbcbih32.exe55⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lgpjaohd.exeC:\Windows\system32\Lgpjaohd.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ljngmjhh.exeC:\Windows\system32\Ljngmjhh.exe57⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Lahojd32.exeC:\Windows\system32\Lahojd32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Lgbgfofa.exeC:\Windows\system32\Lgbgfofa.exe59⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Majlod32.exeC:\Windows\system32\Majlod32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Mfgdhkki.exeC:\Windows\system32\Mfgdhkki.exe61⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mnnlihll.exeC:\Windows\system32\Mnnlihll.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Mamhedko.exeC:\Windows\system32\Mamhedko.exe63⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mckdaojc.exeC:\Windows\system32\Mckdaojc.exe64⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Mjemni32.exeC:\Windows\system32\Mjemni32.exe65⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Mmcije32.exeC:\Windows\system32\Mmcije32.exe66⤵PID:2716
-
C:\Windows\SysWOW64\Mdnagohp.exeC:\Windows\system32\Mdnagohp.exe67⤵PID:3032
-
C:\Windows\SysWOW64\Mflncjgd.exeC:\Windows\system32\Mflncjgd.exe68⤵PID:540
-
C:\Windows\SysWOW64\Mmffpdoa.exeC:\Windows\system32\Mmffpdoa.exe69⤵PID:2512
-
C:\Windows\SysWOW64\Mpdblpnd.exeC:\Windows\system32\Mpdblpnd.exe70⤵PID:444
-
C:\Windows\SysWOW64\Mfnjhj32.exeC:\Windows\system32\Mfnjhj32.exe71⤵PID:2400
-
C:\Windows\SysWOW64\Meakdgll.exeC:\Windows\system32\Meakdgll.exe72⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Mlkcqa32.exeC:\Windows\system32\Mlkcqa32.exe73⤵PID:572
-
C:\Windows\SysWOW64\Mpgoaplb.exeC:\Windows\system32\Mpgoaplb.exe74⤵PID:2412
-
C:\Windows\SysWOW64\Mfqgnj32.exeC:\Windows\system32\Mfqgnj32.exe75⤵PID:2704
-
C:\Windows\SysWOW64\Miocjebb.exeC:\Windows\system32\Miocjebb.exe76⤵PID:2700
-
C:\Windows\SysWOW64\Npikgo32.exeC:\Windows\system32\Npikgo32.exe77⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Nbghck32.exeC:\Windows\system32\Nbghck32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Niappepp.exeC:\Windows\system32\Niappepp.exe79⤵PID:1160
-
C:\Windows\SysWOW64\Nlpllpoc.exeC:\Windows\system32\Nlpllpoc.exe80⤵PID:2640
-
C:\Windows\SysWOW64\Nbjdhj32.exeC:\Windows\system32\Nbjdhj32.exe81⤵PID:2948
-
C:\Windows\SysWOW64\Namedgnk.exeC:\Windows\system32\Namedgnk.exe82⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ndkapbmo.exeC:\Windows\system32\Ndkapbmo.exe83⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Nhfmqa32.exeC:\Windows\system32\Nhfmqa32.exe84⤵PID:2440
-
C:\Windows\SysWOW64\Nmceihco.exeC:\Windows\system32\Nmceihco.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Nekmjeda.exeC:\Windows\system32\Nekmjeda.exe86⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Nhijface.exeC:\Windows\system32\Nhijface.exe87⤵PID:2952
-
C:\Windows\SysWOW64\Nkgfblbi.exeC:\Windows\system32\Nkgfblbi.exe88⤵PID:2508
-
C:\Windows\SysWOW64\Naanof32.exeC:\Windows\system32\Naanof32.exe89⤵PID:448
-
C:\Windows\SysWOW64\Ndpjkb32.exeC:\Windows\system32\Ndpjkb32.exe90⤵PID:1524
-
C:\Windows\SysWOW64\Nimccigq.exeC:\Windows\system32\Nimccigq.exe91⤵PID:1948
-
C:\Windows\SysWOW64\Nmhodg32.exeC:\Windows\system32\Nmhodg32.exe92⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Odbgqaff.exeC:\Windows\system32\Odbgqaff.exe93⤵
- System Location Discovery: System Language Discovery
PID:740 -
C:\Windows\SysWOW64\Ocegln32.exeC:\Windows\system32\Ocegln32.exe94⤵PID:2112
-
C:\Windows\SysWOW64\Oiopihen.exeC:\Windows\system32\Oiopihen.exe95⤵PID:1556
-
C:\Windows\SysWOW64\Olmledda.exeC:\Windows\system32\Olmledda.exe96⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Odddfadd.exeC:\Windows\system32\Odddfadd.exe97⤵PID:2384
-
C:\Windows\SysWOW64\Ogcpbmcg.exeC:\Windows\system32\Ogcpbmcg.exe98⤵PID:1644
-
C:\Windows\SysWOW64\Onmhogkd.exeC:\Windows\system32\Onmhogkd.exe99⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Opkdkbjh.exeC:\Windows\system32\Opkdkbjh.exe100⤵PID:1060
-
C:\Windows\SysWOW64\Ogemhl32.exeC:\Windows\system32\Ogemhl32.exe101⤵PID:1284
-
C:\Windows\SysWOW64\Oehmciho.exeC:\Windows\system32\Oehmciho.exe102⤵PID:2892
-
C:\Windows\SysWOW64\Opnaabhe.exeC:\Windows\system32\Opnaabhe.exe103⤵PID:2616
-
C:\Windows\SysWOW64\Oopalo32.exeC:\Windows\system32\Oopalo32.exe104⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Oejjiifm.exeC:\Windows\system32\Oejjiifm.exe105⤵PID:628
-
C:\Windows\SysWOW64\Ohifedep.exeC:\Windows\system32\Ohifedep.exe106⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Ocnjbm32.exeC:\Windows\system32\Ocnjbm32.exe107⤵PID:2876
-
C:\Windows\SysWOW64\Odpfjekd.exeC:\Windows\system32\Odpfjekd.exe108⤵PID:2852
-
C:\Windows\SysWOW64\Pkiogo32.exeC:\Windows\system32\Pkiogo32.exe109⤵PID:2120
-
C:\Windows\SysWOW64\Pacgcijn.exeC:\Windows\system32\Pacgcijn.exe110⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Pgpplphe.exeC:\Windows\system32\Pgpplphe.exe111⤵PID:2496
-
C:\Windows\SysWOW64\Pqiddfof.exeC:\Windows\system32\Pqiddfof.exe112⤵PID:1672
-
C:\Windows\SysWOW64\Pgblap32.exeC:\Windows\system32\Pgblap32.exe113⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Pjahnk32.exeC:\Windows\system32\Pjahnk32.exe114⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Pcimfalg.exeC:\Windows\system32\Pcimfalg.exe115⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pkqegnmi.exeC:\Windows\system32\Pkqegnmi.exe116⤵PID:1600
-
C:\Windows\SysWOW64\Pdiipdcj.exeC:\Windows\system32\Pdiipdcj.exe117⤵PID:2888
-
C:\Windows\SysWOW64\Pcljlq32.exeC:\Windows\system32\Pcljlq32.exe118⤵PID:2780
-
C:\Windows\SysWOW64\Pnanii32.exeC:\Windows\system32\Pnanii32.exe119⤵PID:2648
-
C:\Windows\SysWOW64\Pcnfap32.exeC:\Windows\system32\Pcnfap32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Qjhonjoo.exeC:\Windows\system32\Qjhonjoo.exe121⤵
- Drops file in System32 directory
PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-