Analysis
-
max time kernel
141s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 02:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe
-
Size
72KB
-
MD5
cf3c6c02af7d6a293b2483966bc82bd4
-
SHA1
c1973804f4634c9345d9f0bf009f3ba55f8ff806
-
SHA256
d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051
-
SHA512
75bd7ef0e15150a7a62c8677a13cc06b655fa1e48f313b16f576fe6147979a4e64ea887a655fa06e6b4d682ddfe636484df0992350f3ffa01d3401dbd1155898
-
SSDEEP
1536:6aoDbbHejGJGnTjRNGLjkjMUguDZjI9M9FtTZaokBm2LeR6+lWCWQ+:6pPJGTjRNOjkjMUgu1jIeTtTZaFL+6++
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngiiip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faedpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddeae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpoofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommdqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjqqianh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebnigmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panehkaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkpdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfkhbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmhgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmgcepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipgnbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbjca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bineidcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlofhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bambjnfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phoeomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjomoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiabjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiclnpjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclcfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjcleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffenmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npkaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppmpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdnipal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qibhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklpml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkklflj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkeelml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajmkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccecheeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elejqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjlmjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljkofkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinahhff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilpmo32.exe -
Executes dropped EXE 64 IoCs
pid Process 3036 Ieeqpi32.exe 2712 Ionehnbm.exe 2660 Jldbgb32.exe 2732 Jbcgeilh.exe 2724 Jqhdfe32.exe 2632 Jjqiok32.exe 2536 Kqmnadlk.exe 2368 Kqokgd32.exe 1380 Kikokf32.exe 2844 Kkkhmadd.exe 1760 Lajmkhai.exe 264 Lbjjekhl.exe 1644 Lnqkjl32.exe 2096 Lflonn32.exe 2088 Lfnlcnih.exe 336 Mjlejl32.exe 1432 Mpimbcnf.exe 1476 Mmmnkglp.exe 1768 Mfebdm32.exe 2020 Mlbkmdah.exe 1728 Mejoei32.exe 1604 Moccnoni.exe 2040 Nkjdcp32.exe 2216 Ndbile32.exe 1548 Nddeae32.exe 2476 Ndgbgefh.exe 3056 Nggkipci.exe 2796 Oemhjlha.exe 2564 Ocqhcqgk.exe 2736 Oikapk32.exe 2808 Olkjaflh.exe 3068 Ogekbchg.exe 1964 Odiklh32.exe 2388 Pncljmko.exe 1784 Pfoanp32.exe 2848 Pcenmcea.exe 2988 Polobd32.exe 760 Qmpplh32.exe 2168 Akjfhdka.exe 2328 Acejlfhl.exe 2176 Aplkah32.exe 1608 Aakhkj32.exe 540 Bppdlgjk.exe 340 Bemmenhb.exe 1804 Bikfklni.exe 2496 Bafkookd.exe 824 Bhpclica.exe 2456 Baigen32.exe 1304 Bjalndpb.exe 1096 Bdipfi32.exe 2704 Cmaeoo32.exe 1664 Cpbnaj32.exe 2672 Cmfnjnin.exe 2556 Cdqfgh32.exe 2588 Cllkkk32.exe 928 Ccecheeb.exe 2280 Cpidai32.exe 1204 Dibhjokm.exe 2624 Dcjmcd32.exe 1492 Dlbaljhn.exe 1368 Dapjdq32.exe 2072 Dkhnmfle.exe 1388 Dhlogjko.exe 2356 Ddbolkac.exe -
Loads dropped DLL 64 IoCs
pid Process 1292 d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe 1292 d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe 3036 Ieeqpi32.exe 3036 Ieeqpi32.exe 2712 Ionehnbm.exe 2712 Ionehnbm.exe 2660 Jldbgb32.exe 2660 Jldbgb32.exe 2732 Jbcgeilh.exe 2732 Jbcgeilh.exe 2724 Jqhdfe32.exe 2724 Jqhdfe32.exe 2632 Jjqiok32.exe 2632 Jjqiok32.exe 2536 Kqmnadlk.exe 2536 Kqmnadlk.exe 2368 Kqokgd32.exe 2368 Kqokgd32.exe 1380 Kikokf32.exe 1380 Kikokf32.exe 2844 Kkkhmadd.exe 2844 Kkkhmadd.exe 1760 Lajmkhai.exe 1760 Lajmkhai.exe 264 Lbjjekhl.exe 264 Lbjjekhl.exe 1644 Lnqkjl32.exe 1644 Lnqkjl32.exe 2096 Lflonn32.exe 2096 Lflonn32.exe 2088 Lfnlcnih.exe 2088 Lfnlcnih.exe 336 Mjlejl32.exe 336 Mjlejl32.exe 1432 Mpimbcnf.exe 1432 Mpimbcnf.exe 1476 Mmmnkglp.exe 1476 Mmmnkglp.exe 1768 Mfebdm32.exe 1768 Mfebdm32.exe 2020 Mlbkmdah.exe 2020 Mlbkmdah.exe 1728 Mejoei32.exe 1728 Mejoei32.exe 1604 Moccnoni.exe 1604 Moccnoni.exe 2040 Nkjdcp32.exe 2040 Nkjdcp32.exe 2216 Ndbile32.exe 2216 Ndbile32.exe 1548 Nddeae32.exe 1548 Nddeae32.exe 1572 Ngencpel.exe 1572 Ngencpel.exe 3056 Nggkipci.exe 3056 Nggkipci.exe 2796 Oemhjlha.exe 2796 Oemhjlha.exe 2564 Ocqhcqgk.exe 2564 Ocqhcqgk.exe 2736 Oikapk32.exe 2736 Oikapk32.exe 2808 Olkjaflh.exe 2808 Olkjaflh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ddmfllng.dll Pgogla32.exe File created C:\Windows\SysWOW64\Gnenfjdh.exe Fejjah32.exe File opened for modification C:\Windows\SysWOW64\Mpimbcnf.exe Mjlejl32.exe File opened for modification C:\Windows\SysWOW64\Bghfacem.exe Aaondi32.exe File created C:\Windows\SysWOW64\Hqggmb32.dll Hmnhnk32.exe File created C:\Windows\SysWOW64\Lpjiik32.exe Lgbdpena.exe File created C:\Windows\SysWOW64\Gcljdpke.exe Gfhikl32.exe File created C:\Windows\SysWOW64\Cjaieoko.exe Colegflh.exe File created C:\Windows\SysWOW64\Hplbbh32.dll Fncddc32.exe File created C:\Windows\SysWOW64\Kcjklqhh.dll Qqoaefke.exe File created C:\Windows\SysWOW64\Pcenmcea.exe Pfoanp32.exe File opened for modification C:\Windows\SysWOW64\Ompgqonl.exe Ofklpa32.exe File opened for modification C:\Windows\SysWOW64\Iljkofkg.exe Ilhnjfmi.exe File created C:\Windows\SysWOW64\Pghjqlmi.exe Omoehf32.exe File created C:\Windows\SysWOW64\Pfehhmgp.dll Conbmfif.exe File created C:\Windows\SysWOW64\Ohncdp32.exe Obakli32.exe File created C:\Windows\SysWOW64\Kfbemi32.exe Kgmilmkb.exe File created C:\Windows\SysWOW64\Qhmomjib.dll Dabicikf.exe File created C:\Windows\SysWOW64\Jlhjll32.dll Ebofcd32.exe File created C:\Windows\SysWOW64\Ffenmp32.exe Fjlqcppm.exe File created C:\Windows\SysWOW64\Ojjkim32.dll Lpjiik32.exe File created C:\Windows\SysWOW64\Bcdbiikn.dll Ahjahk32.exe File opened for modification C:\Windows\SysWOW64\Afjncabj.exe Amaiklki.exe File created C:\Windows\SysWOW64\Egknpp32.dll Enmqjq32.exe File created C:\Windows\SysWOW64\Icgpcjpo.dll Lohiob32.exe File created C:\Windows\SysWOW64\Cfknjfbl.exe Cqneaodd.exe File created C:\Windows\SysWOW64\Edfqclni.exe Eiplecnc.exe File created C:\Windows\SysWOW64\Njnjicba.dll Hiabjm32.exe File opened for modification C:\Windows\SysWOW64\Jafilj32.exe Jhndcd32.exe File created C:\Windows\SysWOW64\Kkomepon.exe Jafilj32.exe File created C:\Windows\SysWOW64\Epggabhd.dll Elbkbh32.exe File created C:\Windows\SysWOW64\Hmnhnk32.exe Hpjgdf32.exe File created C:\Windows\SysWOW64\Cebedebg.dll Fmgcepio.exe File opened for modification C:\Windows\SysWOW64\Dajiok32.exe Bfeibo32.exe File opened for modification C:\Windows\SysWOW64\Dmopge32.exe Dgbgon32.exe File opened for modification C:\Windows\SysWOW64\Iefeaj32.exe Ipimic32.exe File created C:\Windows\SysWOW64\Fcffeo32.dll Dnmada32.exe File created C:\Windows\SysWOW64\Moccnoni.exe Mejoei32.exe File opened for modification C:\Windows\SysWOW64\Cfmhfm32.exe Cjfgalcq.exe File created C:\Windows\SysWOW64\Egkfbg32.dll Geeekf32.exe File created C:\Windows\SysWOW64\Odmbgbpa.dll Polakmbi.exe File opened for modification C:\Windows\SysWOW64\Kppohf32.exe Kdincdcl.exe File opened for modification C:\Windows\SysWOW64\Geeekf32.exe Ghaeaaki.exe File opened for modification C:\Windows\SysWOW64\Mbpibm32.exe Manljd32.exe File opened for modification C:\Windows\SysWOW64\Nmbmii32.exe Nlapaapg.exe File opened for modification C:\Windows\SysWOW64\Hbhagiem.exe Hipmoc32.exe File opened for modification C:\Windows\SysWOW64\Ppmkilbp.exe Omonmpcm.exe File opened for modification C:\Windows\SysWOW64\Alkpgh32.exe Aijgemok.exe File created C:\Windows\SysWOW64\Fbglkj32.dll Dapjdq32.exe File opened for modification C:\Windows\SysWOW64\Plffkc32.exe Papank32.exe File created C:\Windows\SysWOW64\Donkapjh.dll Adcobk32.exe File created C:\Windows\SysWOW64\Jgqmmiph.dll Hjnaehgj.exe File created C:\Windows\SysWOW64\Fapapi32.dll Oomlfpdi.exe File opened for modification C:\Windows\SysWOW64\Koeeoljm.exe Kaaeegkc.exe File created C:\Windows\SysWOW64\Chmglegi.dll Mlbkmdah.exe File created C:\Windows\SysWOW64\Icipkhcj.dll Lbplciof.exe File created C:\Windows\SysWOW64\Pkmobp32.exe Pqhkdg32.exe File opened for modification C:\Windows\SysWOW64\Nddeae32.exe Ndbile32.exe File created C:\Windows\SysWOW64\Acblnk32.dll Bafkookd.exe File created C:\Windows\SysWOW64\Cllkkk32.exe Cdqfgh32.exe File opened for modification C:\Windows\SysWOW64\Echlmh32.exe Enkdda32.exe File created C:\Windows\SysWOW64\Bdibjakn.dll Ppegdapd.exe File created C:\Windows\SysWOW64\Bqciha32.exe Bkgqpjch.exe File created C:\Windows\SysWOW64\Aidpiiop.dll Ckgmon32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3240 3784 WerFault.exe 693 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffenmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmjanpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhnbklji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbadifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcpkldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlfjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljkofkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhngbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifikehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinahhff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conbmfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllpflng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhopgkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcied32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fonbff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcajn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgefmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaahofh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkmdah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdkbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikokf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polobd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaifnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnipal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkfdmpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjqqianh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkeeikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioochn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memncbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkiae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjomoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmnkglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaqhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddbpmpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaondi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocbd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogddpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dieiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmmnkglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkocfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdopknp.dll" d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkdda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obfdgiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagjap32.dll" Bmbkid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkaccp32.dll" Hpjgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpddof32.dll" Iljkofkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnhnmckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fepnhjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhqbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnekcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjakoig.dll" Kbflqccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqbfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehoe32.dll" Mipgnbnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alfdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjkbfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecllqcgk.dll" Oqcffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkdmi32.dll" Cllkkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhngkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfaokb32.dll" Dggbgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfchcp.dll" Eekdmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahancp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faedpdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbkmdah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbqdldhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncance32.dll" Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmiknng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilddl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnipgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaocifl.dll" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalapaaj.dll" Fjlqcppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkkeeikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpoboge.dll" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmmdj32.dll" Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkchooim.dll" Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baigen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncaei32.dll" Pljnmkoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apllml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbqbioeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jilmkffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meojkide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgcncli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbmcd32.dll" Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjaieoko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igldicdf.dll" Fjfjcdln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfdgiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnihneon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghagobg.dll" Aplkah32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 3036 1292 d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe 30 PID 1292 wrote to memory of 3036 1292 d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe 30 PID 1292 wrote to memory of 3036 1292 d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe 30 PID 1292 wrote to memory of 3036 1292 d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe 30 PID 3036 wrote to memory of 2712 3036 Ieeqpi32.exe 31 PID 3036 wrote to memory of 2712 3036 Ieeqpi32.exe 31 PID 3036 wrote to memory of 2712 3036 Ieeqpi32.exe 31 PID 3036 wrote to memory of 2712 3036 Ieeqpi32.exe 31 PID 2712 wrote to memory of 2660 2712 Ionehnbm.exe 32 PID 2712 wrote to memory of 2660 2712 Ionehnbm.exe 32 PID 2712 wrote to memory of 2660 2712 Ionehnbm.exe 32 PID 2712 wrote to memory of 2660 2712 Ionehnbm.exe 32 PID 2660 wrote to memory of 2732 2660 Jldbgb32.exe 33 PID 2660 wrote to memory of 2732 2660 Jldbgb32.exe 33 PID 2660 wrote to memory of 2732 2660 Jldbgb32.exe 33 PID 2660 wrote to memory of 2732 2660 Jldbgb32.exe 33 PID 2732 wrote to memory of 2724 2732 Jbcgeilh.exe 34 PID 2732 wrote to memory of 2724 2732 Jbcgeilh.exe 34 PID 2732 wrote to memory of 2724 2732 Jbcgeilh.exe 34 PID 2732 wrote to memory of 2724 2732 Jbcgeilh.exe 34 PID 2724 wrote to memory of 2632 2724 Jqhdfe32.exe 35 PID 2724 wrote to memory of 2632 2724 Jqhdfe32.exe 35 PID 2724 wrote to memory of 2632 2724 Jqhdfe32.exe 35 PID 2724 wrote to memory of 2632 2724 Jqhdfe32.exe 35 PID 2632 wrote to memory of 2536 2632 Jjqiok32.exe 36 PID 2632 wrote to memory of 2536 2632 Jjqiok32.exe 36 PID 2632 wrote to memory of 2536 2632 Jjqiok32.exe 36 PID 2632 wrote to memory of 2536 2632 Jjqiok32.exe 36 PID 2536 wrote to memory of 2368 2536 Kqmnadlk.exe 37 PID 2536 wrote to memory of 2368 2536 Kqmnadlk.exe 37 PID 2536 wrote to memory of 2368 2536 Kqmnadlk.exe 37 PID 2536 wrote to memory of 2368 2536 Kqmnadlk.exe 37 PID 2368 wrote to memory of 1380 2368 Kqokgd32.exe 38 PID 2368 wrote to memory of 1380 2368 Kqokgd32.exe 38 PID 2368 wrote to memory of 1380 2368 Kqokgd32.exe 38 PID 2368 wrote to memory of 1380 2368 Kqokgd32.exe 38 PID 1380 wrote to memory of 2844 1380 Kikokf32.exe 39 PID 1380 wrote to memory of 2844 1380 Kikokf32.exe 39 PID 1380 wrote to memory of 2844 1380 Kikokf32.exe 39 PID 1380 wrote to memory of 2844 1380 Kikokf32.exe 39 PID 2844 wrote to memory of 1760 2844 Kkkhmadd.exe 40 PID 2844 wrote to memory of 1760 2844 Kkkhmadd.exe 40 PID 2844 wrote to memory of 1760 2844 Kkkhmadd.exe 40 PID 2844 wrote to memory of 1760 2844 Kkkhmadd.exe 40 PID 1760 wrote to memory of 264 1760 Lajmkhai.exe 41 PID 1760 wrote to memory of 264 1760 Lajmkhai.exe 41 PID 1760 wrote to memory of 264 1760 Lajmkhai.exe 41 PID 1760 wrote to memory of 264 1760 Lajmkhai.exe 41 PID 264 wrote to memory of 1644 264 Lbjjekhl.exe 42 PID 264 wrote to memory of 1644 264 Lbjjekhl.exe 42 PID 264 wrote to memory of 1644 264 Lbjjekhl.exe 42 PID 264 wrote to memory of 1644 264 Lbjjekhl.exe 42 PID 1644 wrote to memory of 2096 1644 Lnqkjl32.exe 43 PID 1644 wrote to memory of 2096 1644 Lnqkjl32.exe 43 PID 1644 wrote to memory of 2096 1644 Lnqkjl32.exe 43 PID 1644 wrote to memory of 2096 1644 Lnqkjl32.exe 43 PID 2096 wrote to memory of 2088 2096 Lflonn32.exe 44 PID 2096 wrote to memory of 2088 2096 Lflonn32.exe 44 PID 2096 wrote to memory of 2088 2096 Lflonn32.exe 44 PID 2096 wrote to memory of 2088 2096 Lflonn32.exe 44 PID 2088 wrote to memory of 336 2088 Lfnlcnih.exe 45 PID 2088 wrote to memory of 336 2088 Lfnlcnih.exe 45 PID 2088 wrote to memory of 336 2088 Lfnlcnih.exe 45 PID 2088 wrote to memory of 336 2088 Lfnlcnih.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe"C:\Users\Admin\AppData\Local\Temp\d7cb2a4382377649a8b6902588ab575620401ff842eff715e6d0a9768b1ad051.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ionehnbm.exeC:\Windows\system32\Ionehnbm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kqokgd32.exeC:\Windows\system32\Kqokgd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Kikokf32.exeC:\Windows\system32\Kikokf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Lbjjekhl.exeC:\Windows\system32\Lbjjekhl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Lfnlcnih.exeC:\Windows\system32\Lfnlcnih.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Mpimbcnf.exeC:\Windows\system32\Mpimbcnf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Ndgbgefh.exeC:\Windows\system32\Ndgbgefh.exe27⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe28⤵
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Nggkipci.exeC:\Windows\system32\Nggkipci.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Oikapk32.exeC:\Windows\system32\Oikapk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe34⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Odiklh32.exeC:\Windows\system32\Odiklh32.exe35⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe36⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe38⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Qmpplh32.exeC:\Windows\system32\Qmpplh32.exe40⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe41⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe42⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Aplkah32.exeC:\Windows\system32\Aplkah32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe44⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bppdlgjk.exeC:\Windows\system32\Bppdlgjk.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe46⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe49⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe51⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe52⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe54⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe59⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe60⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe61⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe62⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Dapjdq32.exeC:\Windows\system32\Dapjdq32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe64⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe65⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe66⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe68⤵PID:2936
-
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe69⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe70⤵PID:1904
-
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe71⤵PID:1568
-
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe72⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Elejqm32.exeC:\Windows\system32\Elejqm32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Ecobmg32.exeC:\Windows\system32\Ecobmg32.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe75⤵PID:2572
-
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe76⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe77⤵PID:2380
-
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe79⤵PID:2052
-
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe80⤵PID:2320
-
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe81⤵PID:2100
-
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe82⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe83⤵PID:812
-
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe85⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe86⤵PID:2964
-
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe88⤵PID:2744
-
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe89⤵PID:2780
-
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe90⤵PID:2692
-
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe91⤵PID:2728
-
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe92⤵PID:2600
-
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe93⤵PID:1612
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe94⤵PID:2748
-
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe95⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe96⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe97⤵PID:2188
-
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe98⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe100⤵PID:1800
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe101⤵PID:1724
-
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe102⤵PID:3012
-
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe104⤵PID:2756
-
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe105⤵PID:2716
-
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe106⤵PID:1232
-
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe107⤵PID:1176
-
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe108⤵PID:924
-
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe109⤵PID:2076
-
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe110⤵PID:2436
-
C:\Windows\SysWOW64\Kgmilmkb.exeC:\Windows\system32\Kgmilmkb.exe111⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe112⤵PID:1276
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe113⤵PID:1560
-
C:\Windows\SysWOW64\Lomglo32.exeC:\Windows\system32\Lomglo32.exe114⤵PID:2708
-
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe115⤵PID:2792
-
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe116⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe117⤵PID:2644
-
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe118⤵PID:520
-
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe120⤵PID:1100
-
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe121⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-