Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
c9f04bfcb904066265b1283c120b38e0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c9f04bfcb904066265b1283c120b38e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
c9f04bfcb904066265b1283c120b38e0N.exe
-
Size
109KB
-
MD5
c9f04bfcb904066265b1283c120b38e0
-
SHA1
d0a6e94a282a3599de8092f8080b573a6203021d
-
SHA256
5a0f4c19e41ead5c96d2c2662e29c93a8e619b8c1622114eaef1ea8708995f3d
-
SHA512
03762d428f381d624dda2ae9785ac234b242889b6332da622f1ee5de7fe591ff1fda6b01ca52a3d59ec4bb71187a41eb80e1c375affc037914f321d9562690d9
-
SSDEEP
3072:Kh6+e5w0+ytJx4kMSh8Ouy0J9JLCqwzBu1DjHLMVDqqkSp:KhDytJx4kkTJ9xwtu1DjrFqh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofomolo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edeclabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkplgoop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcjoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejiadgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqopfbfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnlepioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqbeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljaigmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckecpjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heijidbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odiklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdonjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejiehfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cccdjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpoejbhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfkkeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnciiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmlnjcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehmoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmllpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpcohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Magdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dchpnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kffqqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoppadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Defljp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" c9f04bfcb904066265b1283c120b38e0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdcdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odiklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agqfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbookpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbghdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeghmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpgfmeag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndndbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollqllod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckmpicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkffi32.exe -
Executes dropped EXE 64 IoCs
pid Process 344 Hljaigmo.exe 2612 Hcdifa32.exe 2788 Hlmnogkl.exe 2496 Hhfkihon.exe 2544 Imhqbkbm.exe 756 Ingmmn32.exe 328 Immjnj32.exe 2944 Ikagogco.exe 1356 Jkdcdf32.exe 2380 Jelhmlgm.exe 1336 Jkimpfmg.exe 1960 Jcdadhjb.exe 1196 Jahbmlil.exe 2340 Jfekec32.exe 1692 Kckhdg32.exe 2052 Kcmdjgbh.exe 960 Khojcj32.exe 876 Kecjmodq.exe 2176 Lolofd32.exe 1984 Lonlkcho.exe 2972 Ldkdckff.exe 2220 Lkgifd32.exe 1000 Lilfgq32.exe 1912 Lcdjpfgh.exe 1948 Mhdpnm32.exe 2680 Maldfbjn.exe 3036 Mopdpg32.exe 2752 Maanab32.exe 2508 Moenkf32.exe 2564 Ngpcohbm.exe 2488 Njalacon.exe 1660 Njchfc32.exe 2684 Nckmpicl.exe 2036 Nldahn32.exe 444 Odacbpee.exe 2800 Onjgkf32.exe 2836 Onldqejb.exe 2136 Oehicoom.exe 1684 Pcbookpp.exe 2320 Pbjifgcd.exe 1812 Pehebbbh.exe 2444 Qpniokan.exe 1620 Qifnhaho.exe 852 Ajldkhjh.exe 2572 Ajnqphhe.exe 1092 Aicmadmm.exe 1072 Adiaommc.exe 660 Aejnfe32.exe 2952 Aldfcpjn.exe 1388 Bfjkphjd.exe 2696 Blgcio32.exe 2436 Bikcbc32.exe 2924 Bafhff32.exe 2552 Bhpqcpkm.exe 3064 Bedamd32.exe 572 Bnofaf32.exe 2948 Bggjjlnb.exe 2812 Cnabffeo.exe 2772 Cdkkcp32.exe 1584 Ckecpjdh.exe 2096 Ccqhdmbc.exe 2268 Cjjpag32.exe 1652 Clilmbhd.exe 1936 Cccdjl32.exe -
Loads dropped DLL 64 IoCs
pid Process 1188 c9f04bfcb904066265b1283c120b38e0N.exe 1188 c9f04bfcb904066265b1283c120b38e0N.exe 344 Hljaigmo.exe 344 Hljaigmo.exe 2612 Hcdifa32.exe 2612 Hcdifa32.exe 2788 Hlmnogkl.exe 2788 Hlmnogkl.exe 2496 Hhfkihon.exe 2496 Hhfkihon.exe 2544 Imhqbkbm.exe 2544 Imhqbkbm.exe 756 Ingmmn32.exe 756 Ingmmn32.exe 328 Immjnj32.exe 328 Immjnj32.exe 2944 Ikagogco.exe 2944 Ikagogco.exe 1356 Jkdcdf32.exe 1356 Jkdcdf32.exe 2380 Jelhmlgm.exe 2380 Jelhmlgm.exe 1336 Jkimpfmg.exe 1336 Jkimpfmg.exe 1960 Jcdadhjb.exe 1960 Jcdadhjb.exe 1196 Jahbmlil.exe 1196 Jahbmlil.exe 2340 Jfekec32.exe 2340 Jfekec32.exe 1692 Kckhdg32.exe 1692 Kckhdg32.exe 2052 Kcmdjgbh.exe 2052 Kcmdjgbh.exe 960 Khojcj32.exe 960 Khojcj32.exe 876 Kecjmodq.exe 876 Kecjmodq.exe 2176 Lolofd32.exe 2176 Lolofd32.exe 1984 Lonlkcho.exe 1984 Lonlkcho.exe 2972 Ldkdckff.exe 2972 Ldkdckff.exe 2220 Lkgifd32.exe 2220 Lkgifd32.exe 1000 Lilfgq32.exe 1000 Lilfgq32.exe 1912 Lcdjpfgh.exe 1912 Lcdjpfgh.exe 1948 Mhdpnm32.exe 1948 Mhdpnm32.exe 2680 Maldfbjn.exe 2680 Maldfbjn.exe 3036 Mopdpg32.exe 3036 Mopdpg32.exe 2752 Maanab32.exe 2752 Maanab32.exe 2508 Moenkf32.exe 2508 Moenkf32.exe 2564 Ngpcohbm.exe 2564 Ngpcohbm.exe 2488 Njalacon.exe 2488 Njalacon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fgpock32.exe Egmbnkie.exe File created C:\Windows\SysWOW64\Qklhgdgp.dll Pbjifgcd.exe File created C:\Windows\SysWOW64\Fpgnoo32.exe Efoifiep.exe File created C:\Windows\SysWOW64\Fabmmejd.exe Fhjhdp32.exe File created C:\Windows\SysWOW64\Fgpock32.exe Egmbnkie.exe File opened for modification C:\Windows\SysWOW64\Oeoeplfn.exe Olgpff32.exe File opened for modification C:\Windows\SysWOW64\Oeaael32.exe Occeip32.exe File opened for modification C:\Windows\SysWOW64\Bdipfi32.exe Bdgcaj32.exe File created C:\Windows\SysWOW64\Jpcdqpqj.exe Jdlclo32.exe File opened for modification C:\Windows\SysWOW64\Bnofaf32.exe Bedamd32.exe File created C:\Windows\SysWOW64\Gmkiol32.dll Edeclabl.exe File created C:\Windows\SysWOW64\Ohebjg32.dll Eqopfbfn.exe File opened for modification C:\Windows\SysWOW64\Jfpmifoa.exe Jpcdqpqj.exe File opened for modification C:\Windows\SysWOW64\Koogbk32.exe Kdjceb32.exe File opened for modification C:\Windows\SysWOW64\Fhglop32.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Migbpocm.exe Mpnngi32.exe File opened for modification C:\Windows\SysWOW64\Nndgeplo.exe Nkfkidmk.exe File created C:\Windows\SysWOW64\Ipfkabpg.exe Igngim32.exe File created C:\Windows\SysWOW64\Hlmnogkl.exe Hcdifa32.exe File opened for modification C:\Windows\SysWOW64\Lkgifd32.exe Ldkdckff.exe File created C:\Windows\SysWOW64\Mbpmdgef.dll Aejnfe32.exe File opened for modification C:\Windows\SysWOW64\Onmfin32.exe Oeaael32.exe File created C:\Windows\SysWOW64\Hiohip32.dll Lcffgnnc.exe File opened for modification C:\Windows\SysWOW64\Lolofd32.exe Kecjmodq.exe File created C:\Windows\SysWOW64\Igkdaemk.dll Ccqhdmbc.exe File created C:\Windows\SysWOW64\Jpopml32.dll Pajeanhf.exe File created C:\Windows\SysWOW64\Dflpeo32.dll Jnbifl32.exe File opened for modification C:\Windows\SysWOW64\Clinfk32.exe Ckhbnb32.exe File created C:\Windows\SysWOW64\Hbghdj32.exe Hkppcmjk.exe File opened for modification C:\Windows\SysWOW64\Gabofn32.exe Fgjkmijh.exe File created C:\Windows\SysWOW64\Komjmk32.exe Kdgfpbaf.exe File opened for modification C:\Windows\SysWOW64\Ikagogco.exe Immjnj32.exe File opened for modification C:\Windows\SysWOW64\Nkfkidmk.exe Neibanod.exe File opened for modification C:\Windows\SysWOW64\Pchbmigj.exe Pajeanhf.exe File created C:\Windows\SysWOW64\Iagaod32.exe Idcqep32.exe File opened for modification C:\Windows\SysWOW64\Moenkf32.exe Maanab32.exe File opened for modification C:\Windows\SysWOW64\Jcoanb32.exe Jnbifl32.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe Nphpng32.exe File created C:\Windows\SysWOW64\Nepach32.exe Npcika32.exe File created C:\Windows\SysWOW64\Abgqlf32.dll Afbpnlcd.exe File created C:\Windows\SysWOW64\Nelgfoke.dll Jjmcfl32.exe File opened for modification C:\Windows\SysWOW64\Ejiadgkl.exe Ecoihm32.exe File created C:\Windows\SysWOW64\Jaonji32.exe Jjcieg32.exe File created C:\Windows\SysWOW64\Binikb32.exe Bpfebmia.exe File opened for modification C:\Windows\SysWOW64\Ekpkhkji.exe Edeclabl.exe File created C:\Windows\SysWOW64\Kjheobko.dll Egihcl32.exe File created C:\Windows\SysWOW64\Hmiljb32.exe Habkeacd.exe File created C:\Windows\SysWOW64\Lbjqik32.dll Jpcdqpqj.exe File created C:\Windows\SysWOW64\Qifnhaho.exe Qpniokan.exe File created C:\Windows\SysWOW64\Fakmpf32.dll Ebcmfj32.exe File created C:\Windows\SysWOW64\Gcjoipcl.dll Meemgk32.exe File created C:\Windows\SysWOW64\Nfgbdo32.dll Lkfdfo32.exe File created C:\Windows\SysWOW64\Mgbkgheh.dll Gbcien32.exe File created C:\Windows\SysWOW64\Nlanhh32.exe Negeln32.exe File created C:\Windows\SysWOW64\Hhfmbq32.exe Hlpmmpam.exe File created C:\Windows\SysWOW64\Goapjnoo.exe Ghghnc32.exe File created C:\Windows\SysWOW64\Mjddnjdf.exe Mpoppadq.exe File opened for modification C:\Windows\SysWOW64\Odacbpee.exe Nldahn32.exe File created C:\Windows\SysWOW64\Bikcbc32.exe Blgcio32.exe File created C:\Windows\SysWOW64\Cidffnka.dll Nkfkidmk.exe File created C:\Windows\SysWOW64\Koogbk32.exe Kdjceb32.exe File created C:\Windows\SysWOW64\Mbpibm32.exe Mjddnjdf.exe File opened for modification C:\Windows\SysWOW64\Afnfcl32.exe Aqanke32.exe File created C:\Windows\SysWOW64\Nckmpicl.exe Njchfc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4632 1908 WerFault.exe 433 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndndbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iencdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdfgbhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckhdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdehpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmnaaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akphfbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgjdong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbkig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leqeed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjdimdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmiljb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piemih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmoeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckflc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmdjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfhkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffpjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpniokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epipql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npffaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9f04bfcb904066265b1283c120b38e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnmfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabncj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolhdbjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljaigmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejiadgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckloge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgbkacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmpnjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmenijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjgkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipfkabpg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimecp32.dll" Hpicbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meemgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojnea32.dll" Pipjpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgohnp32.dll" Qqbeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maanab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqcjaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindop32.dll" Pbjkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll" Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmcad32.dll" Lilfgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqcjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnmae32.dll" Ihlpqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjheobko.dll" Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcgkpie.dll" Dkmghe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 c9f04bfcb904066265b1283c120b38e0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkfhg32.dll" Immjnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kecjmodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll" Pfkkeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inalmqgb.dll" Qpniokan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glkgcmbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lajmkhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjmnmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcdgpcj.dll" Ajldkhjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll" Dlboca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbniohpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekhe32.dll" Lbmpnjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lonlkcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkdaemk.dll" Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemldo32.dll" Hogcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjoipcl.dll" Meemgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bboqbe32.dll" Nldcagaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehameajg.dll" Gmkjgfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gibmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pchbmigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppknlppm.dll" Jcleiclo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peiejhfb.dll" Nlanhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojkpqcn.dll" Dooqceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igldicdf.dll" Fmdfppkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npcika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpmdgef.dll" Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkhmj32.dll" Fiedfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pipjpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjihci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oingii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1188 wrote to memory of 344 1188 c9f04bfcb904066265b1283c120b38e0N.exe 30 PID 1188 wrote to memory of 344 1188 c9f04bfcb904066265b1283c120b38e0N.exe 30 PID 1188 wrote to memory of 344 1188 c9f04bfcb904066265b1283c120b38e0N.exe 30 PID 1188 wrote to memory of 344 1188 c9f04bfcb904066265b1283c120b38e0N.exe 30 PID 344 wrote to memory of 2612 344 Hljaigmo.exe 31 PID 344 wrote to memory of 2612 344 Hljaigmo.exe 31 PID 344 wrote to memory of 2612 344 Hljaigmo.exe 31 PID 344 wrote to memory of 2612 344 Hljaigmo.exe 31 PID 2612 wrote to memory of 2788 2612 Hcdifa32.exe 32 PID 2612 wrote to memory of 2788 2612 Hcdifa32.exe 32 PID 2612 wrote to memory of 2788 2612 Hcdifa32.exe 32 PID 2612 wrote to memory of 2788 2612 Hcdifa32.exe 32 PID 2788 wrote to memory of 2496 2788 Hlmnogkl.exe 33 PID 2788 wrote to memory of 2496 2788 Hlmnogkl.exe 33 PID 2788 wrote to memory of 2496 2788 Hlmnogkl.exe 33 PID 2788 wrote to memory of 2496 2788 Hlmnogkl.exe 33 PID 2496 wrote to memory of 2544 2496 Hhfkihon.exe 34 PID 2496 wrote to memory of 2544 2496 Hhfkihon.exe 34 PID 2496 wrote to memory of 2544 2496 Hhfkihon.exe 34 PID 2496 wrote to memory of 2544 2496 Hhfkihon.exe 34 PID 2544 wrote to memory of 756 2544 Imhqbkbm.exe 35 PID 2544 wrote to memory of 756 2544 Imhqbkbm.exe 35 PID 2544 wrote to memory of 756 2544 Imhqbkbm.exe 35 PID 2544 wrote to memory of 756 2544 Imhqbkbm.exe 35 PID 756 wrote to memory of 328 756 Ingmmn32.exe 36 PID 756 wrote to memory of 328 756 Ingmmn32.exe 36 PID 756 wrote to memory of 328 756 Ingmmn32.exe 36 PID 756 wrote to memory of 328 756 Ingmmn32.exe 36 PID 328 wrote to memory of 2944 328 Immjnj32.exe 37 PID 328 wrote to memory of 2944 328 Immjnj32.exe 37 PID 328 wrote to memory of 2944 328 Immjnj32.exe 37 PID 328 wrote to memory of 2944 328 Immjnj32.exe 37 PID 2944 wrote to memory of 1356 2944 Ikagogco.exe 38 PID 2944 wrote to memory of 1356 2944 Ikagogco.exe 38 PID 2944 wrote to memory of 1356 2944 Ikagogco.exe 38 PID 2944 wrote to memory of 1356 2944 Ikagogco.exe 38 PID 1356 wrote to memory of 2380 1356 Jkdcdf32.exe 39 PID 1356 wrote to memory of 2380 1356 Jkdcdf32.exe 39 PID 1356 wrote to memory of 2380 1356 Jkdcdf32.exe 39 PID 1356 wrote to memory of 2380 1356 Jkdcdf32.exe 39 PID 2380 wrote to memory of 1336 2380 Jelhmlgm.exe 40 PID 2380 wrote to memory of 1336 2380 Jelhmlgm.exe 40 PID 2380 wrote to memory of 1336 2380 Jelhmlgm.exe 40 PID 2380 wrote to memory of 1336 2380 Jelhmlgm.exe 40 PID 1336 wrote to memory of 1960 1336 Jkimpfmg.exe 41 PID 1336 wrote to memory of 1960 1336 Jkimpfmg.exe 41 PID 1336 wrote to memory of 1960 1336 Jkimpfmg.exe 41 PID 1336 wrote to memory of 1960 1336 Jkimpfmg.exe 41 PID 1960 wrote to memory of 1196 1960 Jcdadhjb.exe 42 PID 1960 wrote to memory of 1196 1960 Jcdadhjb.exe 42 PID 1960 wrote to memory of 1196 1960 Jcdadhjb.exe 42 PID 1960 wrote to memory of 1196 1960 Jcdadhjb.exe 42 PID 1196 wrote to memory of 2340 1196 Jahbmlil.exe 43 PID 1196 wrote to memory of 2340 1196 Jahbmlil.exe 43 PID 1196 wrote to memory of 2340 1196 Jahbmlil.exe 43 PID 1196 wrote to memory of 2340 1196 Jahbmlil.exe 43 PID 2340 wrote to memory of 1692 2340 Jfekec32.exe 44 PID 2340 wrote to memory of 1692 2340 Jfekec32.exe 44 PID 2340 wrote to memory of 1692 2340 Jfekec32.exe 44 PID 2340 wrote to memory of 1692 2340 Jfekec32.exe 44 PID 1692 wrote to memory of 2052 1692 Kckhdg32.exe 45 PID 1692 wrote to memory of 2052 1692 Kckhdg32.exe 45 PID 1692 wrote to memory of 2052 1692 Kckhdg32.exe 45 PID 1692 wrote to memory of 2052 1692 Kckhdg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9f04bfcb904066265b1283c120b38e0N.exe"C:\Users\Admin\AppData\Local\Temp\c9f04bfcb904066265b1283c120b38e0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe36⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe39⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe42⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe44⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe46⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe47⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe48⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe50⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe51⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe54⤵PID:2740
-
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe58⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe67⤵PID:2192
-
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe68⤵PID:1520
-
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe69⤵PID:2452
-
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe70⤵PID:1012
-
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe71⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe72⤵PID:1184
-
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe75⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe76⤵PID:848
-
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe77⤵PID:1492
-
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe79⤵PID:1476
-
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe80⤵PID:1628
-
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe81⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe85⤵PID:1456
-
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe86⤵PID:1292
-
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe87⤵PID:1216
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe89⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe90⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe91⤵PID:2520
-
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe92⤵PID:940
-
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe93⤵PID:1352
-
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe94⤵PID:1032
-
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe95⤵PID:2072
-
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe96⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe97⤵PID:2140
-
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe99⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe100⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe101⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe103⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe104⤵PID:2916
-
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe105⤵PID:2560
-
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe106⤵PID:1116
-
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe107⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe108⤵PID:2556
-
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe109⤵PID:2132
-
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1212 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe112⤵PID:1920
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe113⤵PID:2412
-
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe117⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe118⤵PID:1708
-
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe119⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe120⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe121⤵PID:884
-
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe122⤵PID:936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-