Analysis
-
max time kernel
38s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 14:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47a7976ebc58ca48ff09a392db9bd950N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
47a7976ebc58ca48ff09a392db9bd950N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
47a7976ebc58ca48ff09a392db9bd950N.exe
-
Size
136KB
-
MD5
47a7976ebc58ca48ff09a392db9bd950
-
SHA1
d661df43071a0ef86387fb22361668f44d2cf6c7
-
SHA256
9bfea3c998eba58fb9caaca938243d02ddfdb71b01c628f971dcfcd9bfa09f6e
-
SHA512
198e1c195419065961e80aaada19178a65914ee0f32a0b5bfbde36a2ae0366fa29d291b20d3148f93a4f0d4a7a94e573505298836a201ee7037390bb44cee356
-
SSDEEP
3072:lrJ9he5cl1yzE/Pk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/gU:v9c5cCzEHFtCApaH8m3QIvMWH5H3U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnpbkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgfblbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmeopo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghffal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipocfobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlogao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llncgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moioml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiggh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmeopo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagoqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgihamlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgmfneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimfde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edahen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjgpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhpfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblknd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmiqnke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdfbjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koppbjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqamjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlpci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpjaohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llncgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odddfadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlaoqnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpfqaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbodbaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joncmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knemcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmocpbbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflkda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmiqnke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llijlncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaagoqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjneceek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naanof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejgjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnponefo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkhhigb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdabfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiopihen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbdhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocbck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koppbjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhcfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjonod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbodbaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jogmlken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjccf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joncmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgjcipm.exe -
Executes dropped EXE 64 IoCs
pid Process 2028 Ceehdo32.exe 2372 Cloqaiil.exe 2916 Commmdhp.exe 2764 Commmdhp.exe 2884 Cciincqi.exe 2748 Caliip32.exe 2948 Cdlbkk32.exe 2636 Dobfhd32.exe 1872 Deloen32.exe 2980 Dngcjp32.exe 2440 Dpepfl32.exe 1664 Dnipop32.exe 2872 Daelpooi.exe 2852 Dgbdhe32.exe 1380 Dnlmdpem.exe 584 Dgdane32.exe 2488 Dnnijocj.exe 376 Doofbg32.exe 3040 Eckbbf32.exe 920 Efinoa32.exe 1936 Ehhjkm32.exe 2196 Eflkda32.exe 2400 Ehjgpm32.exe 956 Ebblibdg.exe 3052 Edahen32.exe 2060 Emhpfk32.exe 1608 Enilncik.exe 2712 Ehoqklia.exe 2080 Eqjepofl.exe 2292 Fnneib32.exe 2972 Fqlben32.exe 2812 Fcknai32.exe 2684 Fkbfbg32.exe 2696 Fcmkgi32.exe 2152 Fgiggh32.exe 2160 Fnbodbaq.exe 2708 Fmeopo32.exe 832 Fgkcmg32.exe 2332 Filpepno.exe 2876 Fachfmna.exe 1876 Fjllobeb.exe 2600 Fiomjp32.exe 2416 Flmifk32.exe 2228 Geemoqaq.exe 1868 Giaipo32.exe 2244 Gmleqnbc.exe 408 Gpkamiag.exe 3060 Gnnbhf32.exe 2700 Gfejic32.exe 3008 Gehjepon.exe 2232 Ghffal32.exe 1284 Gpmnbi32.exe 2388 Gnponefo.exe 2784 Gblknd32.exe 2624 Gejgjp32.exe 2888 Ghhcfk32.exe 280 Gldogjeh.exe 892 Gjgobg32.exe 2956 Gaagoqcp.exe 1804 Gelcpp32.exe 2184 Glflmi32.exe 884 Gjilhfip.exe 2156 Gmghdahd.exe 796 Geopeoif.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 47a7976ebc58ca48ff09a392db9bd950N.exe 1724 47a7976ebc58ca48ff09a392db9bd950N.exe 2028 Ceehdo32.exe 2028 Ceehdo32.exe 2372 Cloqaiil.exe 2372 Cloqaiil.exe 2916 Commmdhp.exe 2916 Commmdhp.exe 2764 Commmdhp.exe 2764 Commmdhp.exe 2884 Cciincqi.exe 2884 Cciincqi.exe 2748 Caliip32.exe 2748 Caliip32.exe 2948 Cdlbkk32.exe 2948 Cdlbkk32.exe 2636 Dobfhd32.exe 2636 Dobfhd32.exe 1872 Deloen32.exe 1872 Deloen32.exe 2980 Dngcjp32.exe 2980 Dngcjp32.exe 2440 Dpepfl32.exe 2440 Dpepfl32.exe 1664 Dnipop32.exe 1664 Dnipop32.exe 2872 Daelpooi.exe 2872 Daelpooi.exe 2852 Dgbdhe32.exe 2852 Dgbdhe32.exe 1380 Dnlmdpem.exe 1380 Dnlmdpem.exe 584 Dgdane32.exe 584 Dgdane32.exe 2488 Dnnijocj.exe 2488 Dnnijocj.exe 376 Doofbg32.exe 376 Doofbg32.exe 3040 Eckbbf32.exe 3040 Eckbbf32.exe 920 Efinoa32.exe 920 Efinoa32.exe 1936 Ehhjkm32.exe 1936 Ehhjkm32.exe 2196 Eflkda32.exe 2196 Eflkda32.exe 2400 Ehjgpm32.exe 2400 Ehjgpm32.exe 956 Ebblibdg.exe 956 Ebblibdg.exe 3052 Edahen32.exe 3052 Edahen32.exe 2060 Emhpfk32.exe 2060 Emhpfk32.exe 1608 Enilncik.exe 1608 Enilncik.exe 2712 Ehoqklia.exe 2712 Ehoqklia.exe 2080 Eqjepofl.exe 2080 Eqjepofl.exe 2292 Fnneib32.exe 2292 Fnneib32.exe 2972 Fqlben32.exe 2972 Fqlben32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Moidlkbn.dll Jhfhfp32.exe File created C:\Windows\SysWOW64\Nnmoob32.dll Knemcf32.exe File created C:\Windows\SysWOW64\Ikjknnam.dll Lckhbl32.exe File created C:\Windows\SysWOW64\Iddkhijb.dll Lneibjdf.exe File opened for modification C:\Windows\SysWOW64\Llijlncp.exe Lgmnko32.exe File created C:\Windows\SysWOW64\Lahojd32.exe Lbeonhhj.exe File created C:\Windows\SysWOW64\Omohlk32.dll Dnnijocj.exe File opened for modification C:\Windows\SysWOW64\Ebblibdg.exe Ehjgpm32.exe File created C:\Windows\SysWOW64\Fkfndfdl.dll Ogqcmmfj.exe File opened for modification C:\Windows\SysWOW64\Iknabi32.exe Ilkaglal.exe File created C:\Windows\SysWOW64\Ohakme32.dll Kmjjec32.exe File opened for modification C:\Windows\SysWOW64\Leoaod32.exe Lneibjdf.exe File created C:\Windows\SysWOW64\Leaneciq.exe Lbcbih32.exe File opened for modification C:\Windows\SysWOW64\Naanof32.exe Nocbck32.exe File opened for modification C:\Windows\SysWOW64\Fgiggh32.exe Fcmkgi32.exe File opened for modification C:\Windows\SysWOW64\Fgkcmg32.exe Fmeopo32.exe File created C:\Windows\SysWOW64\Lckhbl32.exe Lkdqao32.exe File created C:\Windows\SysWOW64\Moioml32.exe Mpgoaplb.exe File created C:\Windows\SysWOW64\Jjoeqmhb.dll Geemoqaq.exe File created C:\Windows\SysWOW64\Clonflhj.dll Kdabfp32.exe File created C:\Windows\SysWOW64\Jcdfbjkd.exe Jpfjfn32.exe File created C:\Windows\SysWOW64\Okhhgleb.dll Kgnall32.exe File created C:\Windows\SysWOW64\Abpiggbl.dll Gaagoqcp.exe File opened for modification C:\Windows\SysWOW64\Ghmmakhj.exe Geopeoif.exe File opened for modification C:\Windows\SysWOW64\Iecfpa32.exe Imlnod32.exe File created C:\Windows\SysWOW64\Lneibjdf.exe Lkgmfneb.exe File opened for modification C:\Windows\SysWOW64\Flmifk32.exe Fiomjp32.exe File created C:\Windows\SysWOW64\Gicnlo32.dll Gmghdahd.exe File created C:\Windows\SysWOW64\Bfmajonm.dll Ikehchbn.exe File created C:\Windows\SysWOW64\Djqaeanb.dll Lnlpci32.exe File opened for modification C:\Windows\SysWOW64\Gjilhfip.exe Glflmi32.exe File created C:\Windows\SysWOW64\Hfbicg32.exe Hddmgl32.exe File opened for modification C:\Windows\SysWOW64\Hmakkqqi.exe Hieojahp.exe File created C:\Windows\SysWOW64\Heoeipbc.dll Hbnccgoq.exe File created C:\Windows\SysWOW64\Kmmgjb32.exe Kfconhmc.exe File created C:\Windows\SysWOW64\Mpgoaplb.exe Mmhbedmn.exe File opened for modification C:\Windows\SysWOW64\Nbghck32.exe Npikgo32.exe File opened for modification C:\Windows\SysWOW64\Ehjgpm32.exe Eflkda32.exe File opened for modification C:\Windows\SysWOW64\Haeajp32.exe Gngend32.exe File created C:\Windows\SysWOW64\Joncmj32.exe Jlogao32.exe File created C:\Windows\SysWOW64\Nambigme.dll Nbjdhj32.exe File created C:\Windows\SysWOW64\Ndmneb32.exe Naoaig32.exe File opened for modification C:\Windows\SysWOW64\Ndmneb32.exe Naoaig32.exe File opened for modification C:\Windows\SysWOW64\Icnpbkal.exe Ipocfobh.exe File opened for modification C:\Windows\SysWOW64\Jhdkppgi.exe Jbjccf32.exe File created C:\Windows\SysWOW64\Adngeb32.dll Hmlapa32.exe File created C:\Windows\SysWOW64\Caegea32.dll Jfqeie32.exe File created C:\Windows\SysWOW64\Kdabfp32.exe Kmjjec32.exe File created C:\Windows\SysWOW64\Lnlpci32.exe Llncgm32.exe File opened for modification C:\Windows\SysWOW64\Nhbceb32.exe Mfqgnj32.exe File created C:\Windows\SysWOW64\Commmdhp.exe Cloqaiil.exe File created C:\Windows\SysWOW64\Ehhjkm32.exe Efinoa32.exe File created C:\Windows\SysWOW64\Ajfilj32.dll Gmleqnbc.exe File opened for modification C:\Windows\SysWOW64\Gpmnbi32.exe Ghffal32.exe File created C:\Windows\SysWOW64\Ikehchbn.exe Icnpbkal.exe File created C:\Windows\SysWOW64\Idpiie32.dll Jjjeddff.exe File opened for modification C:\Windows\SysWOW64\Joncmj32.exe Jlogao32.exe File created C:\Windows\SysWOW64\Kqamjb32.exe Kncpng32.exe File created C:\Windows\SysWOW64\Djjanlnn.dll Eqjepofl.exe File created C:\Windows\SysWOW64\Bhidphdp.dll Fcmkgi32.exe File created C:\Windows\SysWOW64\Npikgo32.exe Nlnpfqaf.exe File opened for modification C:\Windows\SysWOW64\Nkjbhlpf.exe Ngnfgm32.exe File opened for modification C:\Windows\SysWOW64\Kmocpbbm.exe Kjqgdgcj.exe File opened for modification C:\Windows\SysWOW64\Lgmnko32.exe Leoaod32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4092 4020 WerFault.exe 250 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caliip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glflmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipapko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkhhigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjdnggk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpphgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehoqklia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlogao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbeonhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpfqaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhappfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cciincqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijjof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehjepon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjemni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpdblpnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmleqnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Commmdhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbimj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloqaiil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoddhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmocpbbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiomjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkeimmdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqamjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nackdfgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doofbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejgjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjilhfip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimfde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iddieoqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdoepq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmhogkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlmdpem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipocfobh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfconhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odddfadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daelpooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbkmhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlpllpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqlben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaemicaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfhfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpjaohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkgfblbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngcjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcknai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoneq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moioml32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehjepon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknabi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgihamlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdldl32.dll" Mpgoaplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcmhl32.dll" Geopeoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiimkm32.dll" Mmcije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlifka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioljhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogqcmmfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmeopo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfejic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelcpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnqpdpb.dll" Kmocpbbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leoaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpjaohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkeimmdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkjbhlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhojdn32.dll" Ibbmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioljhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkhlbkj.dll" Kjqgdgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdoijb32.dll" Lmdmka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdemoin.dll" Dgbdhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnnijocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngaghd32.dll" Gehjepon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjneceek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flqbhacl.dll" Hieojahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioalek32.dll" Hpogglpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlpllpoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceehdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fachfmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicnlo32.dll" Gmghdahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhfhfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olncngqj.dll" Leaneciq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlpllpoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nackdfgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhlcc32.dll" Dnipop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enilncik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjgobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmghdahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlfcmip.dll" Iaemicaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicmki32.dll" Ikbkmhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llncgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loehjg32.dll" Ceehdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmfchhf.dll" Dpepfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlmdpem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpjf32.dll" Fkbfbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejgjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlmjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfconhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljngmjhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 47a7976ebc58ca48ff09a392db9bd950N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibbmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idhcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmoob32.dll" Knemcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljef32.dll" Nkeimmdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiopgn32.dll" Naanof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 47a7976ebc58ca48ff09a392db9bd950N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efinoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filpepno.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2028 1724 47a7976ebc58ca48ff09a392db9bd950N.exe 29 PID 1724 wrote to memory of 2028 1724 47a7976ebc58ca48ff09a392db9bd950N.exe 29 PID 1724 wrote to memory of 2028 1724 47a7976ebc58ca48ff09a392db9bd950N.exe 29 PID 1724 wrote to memory of 2028 1724 47a7976ebc58ca48ff09a392db9bd950N.exe 29 PID 2028 wrote to memory of 2372 2028 Ceehdo32.exe 30 PID 2028 wrote to memory of 2372 2028 Ceehdo32.exe 30 PID 2028 wrote to memory of 2372 2028 Ceehdo32.exe 30 PID 2028 wrote to memory of 2372 2028 Ceehdo32.exe 30 PID 2372 wrote to memory of 2916 2372 Cloqaiil.exe 31 PID 2372 wrote to memory of 2916 2372 Cloqaiil.exe 31 PID 2372 wrote to memory of 2916 2372 Cloqaiil.exe 31 PID 2372 wrote to memory of 2916 2372 Cloqaiil.exe 31 PID 2916 wrote to memory of 2764 2916 Commmdhp.exe 32 PID 2916 wrote to memory of 2764 2916 Commmdhp.exe 32 PID 2916 wrote to memory of 2764 2916 Commmdhp.exe 32 PID 2916 wrote to memory of 2764 2916 Commmdhp.exe 32 PID 2764 wrote to memory of 2884 2764 Commmdhp.exe 33 PID 2764 wrote to memory of 2884 2764 Commmdhp.exe 33 PID 2764 wrote to memory of 2884 2764 Commmdhp.exe 33 PID 2764 wrote to memory of 2884 2764 Commmdhp.exe 33 PID 2884 wrote to memory of 2748 2884 Cciincqi.exe 34 PID 2884 wrote to memory of 2748 2884 Cciincqi.exe 34 PID 2884 wrote to memory of 2748 2884 Cciincqi.exe 34 PID 2884 wrote to memory of 2748 2884 Cciincqi.exe 34 PID 2748 wrote to memory of 2948 2748 Caliip32.exe 35 PID 2748 wrote to memory of 2948 2748 Caliip32.exe 35 PID 2748 wrote to memory of 2948 2748 Caliip32.exe 35 PID 2748 wrote to memory of 2948 2748 Caliip32.exe 35 PID 2948 wrote to memory of 2636 2948 Cdlbkk32.exe 36 PID 2948 wrote to memory of 2636 2948 Cdlbkk32.exe 36 PID 2948 wrote to memory of 2636 2948 Cdlbkk32.exe 36 PID 2948 wrote to memory of 2636 2948 Cdlbkk32.exe 36 PID 2636 wrote to memory of 1872 2636 Dobfhd32.exe 37 PID 2636 wrote to memory of 1872 2636 Dobfhd32.exe 37 PID 2636 wrote to memory of 1872 2636 Dobfhd32.exe 37 PID 2636 wrote to memory of 1872 2636 Dobfhd32.exe 37 PID 1872 wrote to memory of 2980 1872 Deloen32.exe 38 PID 1872 wrote to memory of 2980 1872 Deloen32.exe 38 PID 1872 wrote to memory of 2980 1872 Deloen32.exe 38 PID 1872 wrote to memory of 2980 1872 Deloen32.exe 38 PID 2980 wrote to memory of 2440 2980 Dngcjp32.exe 39 PID 2980 wrote to memory of 2440 2980 Dngcjp32.exe 39 PID 2980 wrote to memory of 2440 2980 Dngcjp32.exe 39 PID 2980 wrote to memory of 2440 2980 Dngcjp32.exe 39 PID 2440 wrote to memory of 1664 2440 Dpepfl32.exe 40 PID 2440 wrote to memory of 1664 2440 Dpepfl32.exe 40 PID 2440 wrote to memory of 1664 2440 Dpepfl32.exe 40 PID 2440 wrote to memory of 1664 2440 Dpepfl32.exe 40 PID 1664 wrote to memory of 2872 1664 Dnipop32.exe 41 PID 1664 wrote to memory of 2872 1664 Dnipop32.exe 41 PID 1664 wrote to memory of 2872 1664 Dnipop32.exe 41 PID 1664 wrote to memory of 2872 1664 Dnipop32.exe 41 PID 2872 wrote to memory of 2852 2872 Daelpooi.exe 42 PID 2872 wrote to memory of 2852 2872 Daelpooi.exe 42 PID 2872 wrote to memory of 2852 2872 Daelpooi.exe 42 PID 2872 wrote to memory of 2852 2872 Daelpooi.exe 42 PID 2852 wrote to memory of 1380 2852 Dgbdhe32.exe 43 PID 2852 wrote to memory of 1380 2852 Dgbdhe32.exe 43 PID 2852 wrote to memory of 1380 2852 Dgbdhe32.exe 43 PID 2852 wrote to memory of 1380 2852 Dgbdhe32.exe 43 PID 1380 wrote to memory of 584 1380 Dnlmdpem.exe 44 PID 1380 wrote to memory of 584 1380 Dnlmdpem.exe 44 PID 1380 wrote to memory of 584 1380 Dnlmdpem.exe 44 PID 1380 wrote to memory of 584 1380 Dnlmdpem.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\47a7976ebc58ca48ff09a392db9bd950N.exe"C:\Users\Admin\AppData\Local\Temp\47a7976ebc58ca48ff09a392db9bd950N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Ceehdo32.exeC:\Windows\system32\Ceehdo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Cloqaiil.exeC:\Windows\system32\Cloqaiil.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Commmdhp.exeC:\Windows\system32\Commmdhp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Commmdhp.exeC:\Windows\system32\Commmdhp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Cciincqi.exeC:\Windows\system32\Cciincqi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Caliip32.exeC:\Windows\system32\Caliip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cdlbkk32.exeC:\Windows\system32\Cdlbkk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Dobfhd32.exeC:\Windows\system32\Dobfhd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Deloen32.exeC:\Windows\system32\Deloen32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Dngcjp32.exeC:\Windows\system32\Dngcjp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Dpepfl32.exeC:\Windows\system32\Dpepfl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Dnipop32.exeC:\Windows\system32\Dnipop32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Daelpooi.exeC:\Windows\system32\Daelpooi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Dgbdhe32.exeC:\Windows\system32\Dgbdhe32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Dnlmdpem.exeC:\Windows\system32\Dnlmdpem.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Dgdane32.exeC:\Windows\system32\Dgdane32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Dnnijocj.exeC:\Windows\system32\Dnnijocj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Doofbg32.exeC:\Windows\system32\Doofbg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Eckbbf32.exeC:\Windows\system32\Eckbbf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Efinoa32.exeC:\Windows\system32\Efinoa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Ehhjkm32.exeC:\Windows\system32\Ehhjkm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Eflkda32.exeC:\Windows\system32\Eflkda32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Ehjgpm32.exeC:\Windows\system32\Ehjgpm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Ebblibdg.exeC:\Windows\system32\Ebblibdg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Edahen32.exeC:\Windows\system32\Edahen32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Emhpfk32.exeC:\Windows\system32\Emhpfk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Enilncik.exeC:\Windows\system32\Enilncik.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Ehoqklia.exeC:\Windows\system32\Ehoqklia.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Eqjepofl.exeC:\Windows\system32\Eqjepofl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Fnneib32.exeC:\Windows\system32\Fnneib32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Fqlben32.exeC:\Windows\system32\Fqlben32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Fcknai32.exeC:\Windows\system32\Fcknai32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Fkbfbg32.exeC:\Windows\system32\Fkbfbg32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Fcmkgi32.exeC:\Windows\system32\Fcmkgi32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Fgiggh32.exeC:\Windows\system32\Fgiggh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Fnbodbaq.exeC:\Windows\system32\Fnbodbaq.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Fmeopo32.exeC:\Windows\system32\Fmeopo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Fgkcmg32.exeC:\Windows\system32\Fgkcmg32.exe39⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Filpepno.exeC:\Windows\system32\Filpepno.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Fachfmna.exeC:\Windows\system32\Fachfmna.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Fjllobeb.exeC:\Windows\system32\Fjllobeb.exe42⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Fiomjp32.exeC:\Windows\system32\Fiomjp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Flmifk32.exeC:\Windows\system32\Flmifk32.exe44⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Geemoqaq.exeC:\Windows\system32\Geemoqaq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Giaipo32.exeC:\Windows\system32\Giaipo32.exe46⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Gmleqnbc.exeC:\Windows\system32\Gmleqnbc.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Gpkamiag.exeC:\Windows\system32\Gpkamiag.exe48⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Gnnbhf32.exeC:\Windows\system32\Gnnbhf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Gfejic32.exeC:\Windows\system32\Gfejic32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Gehjepon.exeC:\Windows\system32\Gehjepon.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Ghffal32.exeC:\Windows\system32\Ghffal32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Gpmnbi32.exeC:\Windows\system32\Gpmnbi32.exe53⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Gnponefo.exeC:\Windows\system32\Gnponefo.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Gblknd32.exeC:\Windows\system32\Gblknd32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Gejgjp32.exeC:\Windows\system32\Gejgjp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Ghhcfk32.exeC:\Windows\system32\Ghhcfk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Gldogjeh.exeC:\Windows\system32\Gldogjeh.exe58⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Gjgobg32.exeC:\Windows\system32\Gjgobg32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Gaagoqcp.exeC:\Windows\system32\Gaagoqcp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Gelcpp32.exeC:\Windows\system32\Gelcpp32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Glflmi32.exeC:\Windows\system32\Glflmi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Gjilhfip.exeC:\Windows\system32\Gjilhfip.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Gmghdahd.exeC:\Windows\system32\Gmghdahd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Geopeoif.exeC:\Windows\system32\Geopeoif.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Ghmmakhj.exeC:\Windows\system32\Ghmmakhj.exe66⤵PID:2864
-
C:\Windows\SysWOW64\Gngend32.exeC:\Windows\system32\Gngend32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Haeajp32.exeC:\Windows\system32\Haeajp32.exe68⤵PID:1688
-
C:\Windows\SysWOW64\Hddmgl32.exeC:\Windows\system32\Hddmgl32.exe69⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Hfbicg32.exeC:\Windows\system32\Hfbicg32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Hjneceek.exeC:\Windows\system32\Hjneceek.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Hmlapa32.exeC:\Windows\system32\Hmlapa32.exe72⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hpknlm32.exeC:\Windows\system32\Hpknlm32.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Hbijhh32.exeC:\Windows\system32\Hbijhh32.exe74⤵PID:2408
-
C:\Windows\SysWOW64\Hfdfhgko.exeC:\Windows\system32\Hfdfhgko.exe75⤵PID:2484
-
C:\Windows\SysWOW64\Hmoneq32.exeC:\Windows\system32\Hmoneq32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Hlaoqnif.exeC:\Windows\system32\Hlaoqnif.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Hbkgmh32.exeC:\Windows\system32\Hbkgmh32.exe78⤵PID:1624
-
C:\Windows\SysWOW64\Hieojahp.exeC:\Windows\system32\Hieojahp.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Hmakkqqi.exeC:\Windows\system32\Hmakkqqi.exe80⤵PID:1948
-
C:\Windows\SysWOW64\Hpogglpm.exeC:\Windows\system32\Hpogglpm.exe81⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Hbnccgoq.exeC:\Windows\system32\Hbnccgoq.exe82⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Hfipcf32.exeC:\Windows\system32\Hfipcf32.exe83⤵PID:1672
-
C:\Windows\SysWOW64\Hhklknmh.exeC:\Windows\system32\Hhklknmh.exe84⤵PID:1424
-
C:\Windows\SysWOW64\Hoddhh32.exeC:\Windows\system32\Hoddhh32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Hbpphgmn.exeC:\Windows\system32\Hbpphgmn.exe86⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Heomdbla.exeC:\Windows\system32\Heomdbla.exe87⤵PID:1156
-
C:\Windows\SysWOW64\Ihmiqnke.exeC:\Windows\system32\Ihmiqnke.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Ibbmng32.exeC:\Windows\system32\Ibbmng32.exe89⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Iaemicaf.exeC:\Windows\system32\Iaemicaf.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Iddieoqi.exeC:\Windows\system32\Iddieoqi.exe91⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Ilkaglal.exeC:\Windows\system32\Ilkaglal.exe92⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Iknabi32.exeC:\Windows\system32\Iknabi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Imlnod32.exeC:\Windows\system32\Imlnod32.exe94⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Iecfpa32.exeC:\Windows\system32\Iecfpa32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Ihablm32.exeC:\Windows\system32\Ihablm32.exe96⤵PID:1256
-
C:\Windows\SysWOW64\Ioljhg32.exeC:\Windows\system32\Ioljhg32.exe97⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Iajgdc32.exeC:\Windows\system32\Iajgdc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Idhcqn32.exeC:\Windows\system32\Idhcqn32.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Iggomj32.exeC:\Windows\system32\Iggomj32.exe100⤵PID:3020
-
C:\Windows\SysWOW64\Ikbkmhda.exeC:\Windows\system32\Ikbkmhda.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Inagjdcd.exeC:\Windows\system32\Inagjdcd.exe102⤵PID:2052
-
C:\Windows\SysWOW64\Ipocfobh.exeC:\Windows\system32\Ipocfobh.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Icnpbkal.exeC:\Windows\system32\Icnpbkal.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Ikehchbn.exeC:\Windows\system32\Ikehchbn.exe105⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Incdocab.exeC:\Windows\system32\Incdocab.exe106⤵PID:1932
-
C:\Windows\SysWOW64\Ipapko32.exeC:\Windows\system32\Ipapko32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Jcpmgj32.exeC:\Windows\system32\Jcpmgj32.exe108⤵PID:2468
-
C:\Windows\SysWOW64\Jgkhhigb.exeC:\Windows\system32\Jgkhhigb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Jjjeddff.exeC:\Windows\system32\Jjjeddff.exe110⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Jlhappfj.exeC:\Windows\system32\Jlhappfj.exe111⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Jogmlken.exeC:\Windows\system32\Jogmlken.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Jcbimj32.exeC:\Windows\system32\Jcbimj32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Jfqeie32.exeC:\Windows\system32\Jfqeie32.exe114⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Jpfjfn32.exeC:\Windows\system32\Jpfjfn32.exe115⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Jcdfbjkd.exeC:\Windows\system32\Jcdfbjkd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Jagfnf32.exeC:\Windows\system32\Jagfnf32.exe117⤵PID:1124
-
C:\Windows\SysWOW64\Jjonod32.exeC:\Windows\system32\Jjonod32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Jlmjko32.exeC:\Windows\system32\Jlmjko32.exe119⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Jokggk32.exeC:\Windows\system32\Jokggk32.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Jbjccf32.exeC:\Windows\system32\Jbjccf32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-