Analysis
-
max time kernel
113s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 13:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f32096cef418a80d5bf813cf4b6722a0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f32096cef418a80d5bf813cf4b6722a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f32096cef418a80d5bf813cf4b6722a0N.exe
-
Size
352KB
-
MD5
f32096cef418a80d5bf813cf4b6722a0
-
SHA1
6caf4c46c36644531e3db74c942aef6ae09e2ec9
-
SHA256
78a49036324c47b18c389a04127509cd3376ffb37e2f0bda98ce632a58f10dff
-
SHA512
578a4d13f5196622aca02ef1edad14ef4c91afb1f3c24a7c75499adf4a08233c5907e2fa8f4c0a7c249b60d2eb38a8547eb37dc2bacc9ebf16a7af0cc0b9dee0
-
SSDEEP
6144:nOpgMsQz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:nOiMQsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nloachkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmliqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnppgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johaalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadhen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiiilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfgnldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajlac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knodnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadhen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figoefkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fholmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljfdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkbfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpgee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhadgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkaihkih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Godhgedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcqjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilifndlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johaalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmahkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakecld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdpblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhgpcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccdqloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljanhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojfnakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kccian32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgfkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiaommc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egebjmdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbenc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad f32096cef418a80d5bf813cf4b6722a0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echlmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmcedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjfjalp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claake32.exe -
Executes dropped EXE 64 IoCs
pid Process 2960 Einlmkhp.exe 2616 Edcqjc32.exe 2636 Fhjoof32.exe 2704 Facdgl32.exe 2560 Ggdekbgb.exe 388 Gpmjcg32.exe 2456 Gmqkml32.exe 1452 Hofqpc32.exe 2884 Hfebhmbm.exe 1680 Halcmn32.exe 2160 Hkdgecna.exe 1736 Idmlniea.exe 3000 Imjmhkpj.exe 3056 Ikagogco.exe 1756 Imacijjb.exe 732 Jnemfa32.exe 1560 Jngilalk.exe 832 Kamlhl32.exe 1640 Kihpmnbb.exe 556 Kbpefc32.exe 2216 Klkfdi32.exe 1292 Kbenacdm.exe 1856 Lmalgq32.exe 868 Lkelpd32.exe 2796 Lpaehl32.exe 2588 Mmjomogn.exe 2732 Mdojnm32.exe 2760 Naegmabc.exe 2604 Ngbpehpj.exe 2200 Ndfpnl32.exe 1256 Nnodgbed.exe 660 Njeelc32.exe 2364 Ncnjeh32.exe 288 Oodjjign.exe 1444 Ohmoco32.exe 1572 Onjgkf32.exe 2452 Oiokholk.exe 2896 Objmgd32.exe 2920 Oqojhp32.exe 1200 Pcpbik32.exe 1700 Pjjkfe32.exe 3016 Pbepkh32.exe 2108 Ppipdl32.exe 1780 Pnnmeh32.exe 816 Phgannal.exe 1852 Qifnhaho.exe 1872 Amhcad32.exe 1480 Ahngomkd.exe 2784 Amjpgdik.exe 1012 Addhcn32.exe 1672 Aiaqle32.exe 2816 Abjeejep.exe 672 Adiaommc.exe 2112 Aifjgdkj.exe 1432 Abnopj32.exe 2000 Bpboinpd.exe 2908 Baclaf32.exe 1544 Bklpjlmc.exe 2864 Beadgdli.exe 1768 Bceeqi32.exe 1044 Bhbmip32.exe 2008 Boleejag.exe 1600 Bdinnqon.exe 2388 Boobki32.exe -
Loads dropped DLL 64 IoCs
pid Process 2712 f32096cef418a80d5bf813cf4b6722a0N.exe 2712 f32096cef418a80d5bf813cf4b6722a0N.exe 2960 Einlmkhp.exe 2960 Einlmkhp.exe 2616 Edcqjc32.exe 2616 Edcqjc32.exe 2636 Fhjoof32.exe 2636 Fhjoof32.exe 2704 Facdgl32.exe 2704 Facdgl32.exe 2560 Ggdekbgb.exe 2560 Ggdekbgb.exe 388 Gpmjcg32.exe 388 Gpmjcg32.exe 2456 Gmqkml32.exe 2456 Gmqkml32.exe 1452 Hofqpc32.exe 1452 Hofqpc32.exe 2884 Hfebhmbm.exe 2884 Hfebhmbm.exe 1680 Halcmn32.exe 1680 Halcmn32.exe 2160 Hkdgecna.exe 2160 Hkdgecna.exe 1736 Idmlniea.exe 1736 Idmlniea.exe 3000 Imjmhkpj.exe 3000 Imjmhkpj.exe 3056 Ikagogco.exe 3056 Ikagogco.exe 1756 Imacijjb.exe 1756 Imacijjb.exe 732 Jnemfa32.exe 732 Jnemfa32.exe 1560 Jngilalk.exe 1560 Jngilalk.exe 832 Kamlhl32.exe 832 Kamlhl32.exe 1640 Kihpmnbb.exe 1640 Kihpmnbb.exe 556 Kbpefc32.exe 556 Kbpefc32.exe 2216 Klkfdi32.exe 2216 Klkfdi32.exe 1292 Kbenacdm.exe 1292 Kbenacdm.exe 1856 Lmalgq32.exe 1856 Lmalgq32.exe 868 Lkelpd32.exe 868 Lkelpd32.exe 2796 Lpaehl32.exe 2796 Lpaehl32.exe 2588 Mmjomogn.exe 2588 Mmjomogn.exe 2732 Mdojnm32.exe 2732 Mdojnm32.exe 2760 Naegmabc.exe 2760 Naegmabc.exe 2604 Ngbpehpj.exe 2604 Ngbpehpj.exe 2200 Ndfpnl32.exe 2200 Ndfpnl32.exe 1256 Nnodgbed.exe 1256 Nnodgbed.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Enpdjfgj.exe Ehclbpic.exe File opened for modification C:\Windows\SysWOW64\Lddoopbi.exe Kccbgh32.exe File opened for modification C:\Windows\SysWOW64\Dcihdo32.exe Dnlolhoo.exe File opened for modification C:\Windows\SysWOW64\Mliibj32.exe Mfoqephq.exe File opened for modification C:\Windows\SysWOW64\Qdlialfb.exe Qkcdigpa.exe File created C:\Windows\SysWOW64\Fdhigo32.exe Fokaoh32.exe File created C:\Windows\SysWOW64\Lfkfkopk.exe Lmbabj32.exe File opened for modification C:\Windows\SysWOW64\Echlmh32.exe Ejohdbok.exe File created C:\Windows\SysWOW64\Apgcbmha.exe Agonig32.exe File created C:\Windows\SysWOW64\Ccakij32.exe Cilfka32.exe File opened for modification C:\Windows\SysWOW64\Emqaaabg.exe Effidg32.exe File created C:\Windows\SysWOW64\Coaipi32.dll Effidg32.exe File created C:\Windows\SysWOW64\Hhjhgpcn.exe Happkf32.exe File created C:\Windows\SysWOW64\Cpgidb32.dll Lmhdph32.exe File created C:\Windows\SysWOW64\Acpjga32.exe Aijfihip.exe File created C:\Windows\SysWOW64\Ihilqi32.exe Ijelgemi.exe File opened for modification C:\Windows\SysWOW64\Baiingae.exe Bebiifka.exe File opened for modification C:\Windows\SysWOW64\Daplmimi.exe Dhggdcgh.exe File opened for modification C:\Windows\SysWOW64\Dnfkefad.exe Dhmchljg.exe File created C:\Windows\SysWOW64\Fdemap32.exe Fbdpjgjf.exe File opened for modification C:\Windows\SysWOW64\Idmlniea.exe Hkdgecna.exe File created C:\Windows\SysWOW64\Dgoobg32.exe Dglbmg32.exe File opened for modification C:\Windows\SysWOW64\Abnopj32.exe Aifjgdkj.exe File created C:\Windows\SysWOW64\Cfdiko32.dll Moqgiopk.exe File created C:\Windows\SysWOW64\Dggbgadf.exe Dmomnlne.exe File opened for modification C:\Windows\SysWOW64\Ajmhljip.exe Anfggicl.exe File opened for modification C:\Windows\SysWOW64\Elqcnfdp.exe Egdjfo32.exe File created C:\Windows\SysWOW64\Goodpb32.exe Gmnlog32.exe File created C:\Windows\SysWOW64\Jljoia32.dll Hjhofj32.exe File opened for modification C:\Windows\SysWOW64\Faedpdcc.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Lqeipj32.dll Jmgfgham.exe File opened for modification C:\Windows\SysWOW64\Mpqekkob.exe Mfhabe32.exe File created C:\Windows\SysWOW64\Kbajcaio.dll Happkf32.exe File created C:\Windows\SysWOW64\Fopako32.dll Ibillk32.exe File created C:\Windows\SysWOW64\Knddcg32.exe Knbgnhfd.exe File created C:\Windows\SysWOW64\Fphoal32.dll Moflkfca.exe File created C:\Windows\SysWOW64\Nekofg32.dll Kgjgepqm.exe File created C:\Windows\SysWOW64\Igkdaemk.dll Cpbkhabp.exe File opened for modification C:\Windows\SysWOW64\Pcmoie32.exe Pigklmqc.exe File opened for modification C:\Windows\SysWOW64\Lmhdph32.exe Lmfgkh32.exe File created C:\Windows\SysWOW64\Ijipclac.dll Aidpjm32.exe File created C:\Windows\SysWOW64\Hhdcejph.exe Hajkip32.exe File created C:\Windows\SysWOW64\Mcegqmpg.dll Mchadifq.exe File created C:\Windows\SysWOW64\Pdqfnhpa.exe Pikaqppk.exe File created C:\Windows\SysWOW64\Hopgikop.exe Gheola32.exe File created C:\Windows\SysWOW64\Hlpchfdi.exe Hafbghhj.exe File created C:\Windows\SysWOW64\Kenjgi32.exe Kigibh32.exe File created C:\Windows\SysWOW64\Aiqjao32.exe Ankedf32.exe File created C:\Windows\SysWOW64\Njnjicba.dll Hhdcejph.exe File created C:\Windows\SysWOW64\Kcghhg32.dll Pbaide32.exe File created C:\Windows\SysWOW64\Gheola32.exe Gcifdj32.exe File created C:\Windows\SysWOW64\Ndfpnl32.exe Ngbpehpj.exe File created C:\Windows\SysWOW64\Dglpdomh.exe Dnckki32.exe File created C:\Windows\SysWOW64\Hbghdj32.exe Hhadgakg.exe File created C:\Windows\SysWOW64\Kfopdk32.exe Kmfklepl.exe File opened for modification C:\Windows\SysWOW64\Bomhnb32.exe Bojkib32.exe File created C:\Windows\SysWOW64\Cjmmffgn.exe Cdpdnpif.exe File opened for modification C:\Windows\SysWOW64\Gfjcgc32.exe Gppkkikh.exe File opened for modification C:\Windows\SysWOW64\Ccjehkek.exe Cnmlpd32.exe File created C:\Windows\SysWOW64\Kcmelmkh.dll Acjdgf32.exe File opened for modification C:\Windows\SysWOW64\Apgcbmha.exe Agonig32.exe File opened for modification C:\Windows\SysWOW64\Alqplmlb.exe Ajbdpblo.exe File created C:\Windows\SysWOW64\Gcifdj32.exe Glongpao.exe File created C:\Windows\SysWOW64\Gnaaicgh.dll Gheola32.exe -
Program crash 1 IoCs
pid pid_target Process 4664 4668 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemalkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplmimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemebcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdepmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiclnpjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mliibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqaaabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenileon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijfihip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpoaheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiiiine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifahpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikaqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imfeip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollljo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dleelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjajno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcgaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbhmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbmhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbimbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiofdmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlolhoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibadnhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hamgno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddoopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dammoahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgboogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmhljip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blcmbmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmgeb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbkhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejpdk32.dll" Knodnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Ljfckodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqdcgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ommbioja.dll" Iopeoknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbfobllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocalffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agcekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfoioei.dll" Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmljkb32.dll" Elejqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emqaaabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcinlc.dll" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onobqhia.dll" Oecnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll" Ngcbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hofqpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgcbo32.dll" Mliibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollljo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqgaenpf.dll" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdhnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhdgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkioho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acadchoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agonig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldijj32.dll" Pinnfonh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boolhikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faljqcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmeqjdf.dll" Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhdcejph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpqekkob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einmnkgf.dll" Bmgddcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elqcnfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fokofpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcpdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeconcng.dll" Fljfdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphmbolk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohqfe32.dll" Hajkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papkcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilpmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfpgee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll" Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhakecld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkemli32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2960 2712 f32096cef418a80d5bf813cf4b6722a0N.exe 30 PID 2712 wrote to memory of 2960 2712 f32096cef418a80d5bf813cf4b6722a0N.exe 30 PID 2712 wrote to memory of 2960 2712 f32096cef418a80d5bf813cf4b6722a0N.exe 30 PID 2712 wrote to memory of 2960 2712 f32096cef418a80d5bf813cf4b6722a0N.exe 30 PID 2960 wrote to memory of 2616 2960 Einlmkhp.exe 31 PID 2960 wrote to memory of 2616 2960 Einlmkhp.exe 31 PID 2960 wrote to memory of 2616 2960 Einlmkhp.exe 31 PID 2960 wrote to memory of 2616 2960 Einlmkhp.exe 31 PID 2616 wrote to memory of 2636 2616 Edcqjc32.exe 32 PID 2616 wrote to memory of 2636 2616 Edcqjc32.exe 32 PID 2616 wrote to memory of 2636 2616 Edcqjc32.exe 32 PID 2616 wrote to memory of 2636 2616 Edcqjc32.exe 32 PID 2636 wrote to memory of 2704 2636 Fhjoof32.exe 33 PID 2636 wrote to memory of 2704 2636 Fhjoof32.exe 33 PID 2636 wrote to memory of 2704 2636 Fhjoof32.exe 33 PID 2636 wrote to memory of 2704 2636 Fhjoof32.exe 33 PID 2704 wrote to memory of 2560 2704 Facdgl32.exe 34 PID 2704 wrote to memory of 2560 2704 Facdgl32.exe 34 PID 2704 wrote to memory of 2560 2704 Facdgl32.exe 34 PID 2704 wrote to memory of 2560 2704 Facdgl32.exe 34 PID 2560 wrote to memory of 388 2560 Ggdekbgb.exe 35 PID 2560 wrote to memory of 388 2560 Ggdekbgb.exe 35 PID 2560 wrote to memory of 388 2560 Ggdekbgb.exe 35 PID 2560 wrote to memory of 388 2560 Ggdekbgb.exe 35 PID 388 wrote to memory of 2456 388 Gpmjcg32.exe 36 PID 388 wrote to memory of 2456 388 Gpmjcg32.exe 36 PID 388 wrote to memory of 2456 388 Gpmjcg32.exe 36 PID 388 wrote to memory of 2456 388 Gpmjcg32.exe 36 PID 2456 wrote to memory of 1452 2456 Gmqkml32.exe 37 PID 2456 wrote to memory of 1452 2456 Gmqkml32.exe 37 PID 2456 wrote to memory of 1452 2456 Gmqkml32.exe 37 PID 2456 wrote to memory of 1452 2456 Gmqkml32.exe 37 PID 1452 wrote to memory of 2884 1452 Hofqpc32.exe 38 PID 1452 wrote to memory of 2884 1452 Hofqpc32.exe 38 PID 1452 wrote to memory of 2884 1452 Hofqpc32.exe 38 PID 1452 wrote to memory of 2884 1452 Hofqpc32.exe 38 PID 2884 wrote to memory of 1680 2884 Hfebhmbm.exe 39 PID 2884 wrote to memory of 1680 2884 Hfebhmbm.exe 39 PID 2884 wrote to memory of 1680 2884 Hfebhmbm.exe 39 PID 2884 wrote to memory of 1680 2884 Hfebhmbm.exe 39 PID 1680 wrote to memory of 2160 1680 Halcmn32.exe 40 PID 1680 wrote to memory of 2160 1680 Halcmn32.exe 40 PID 1680 wrote to memory of 2160 1680 Halcmn32.exe 40 PID 1680 wrote to memory of 2160 1680 Halcmn32.exe 40 PID 2160 wrote to memory of 1736 2160 Hkdgecna.exe 41 PID 2160 wrote to memory of 1736 2160 Hkdgecna.exe 41 PID 2160 wrote to memory of 1736 2160 Hkdgecna.exe 41 PID 2160 wrote to memory of 1736 2160 Hkdgecna.exe 41 PID 1736 wrote to memory of 3000 1736 Idmlniea.exe 42 PID 1736 wrote to memory of 3000 1736 Idmlniea.exe 42 PID 1736 wrote to memory of 3000 1736 Idmlniea.exe 42 PID 1736 wrote to memory of 3000 1736 Idmlniea.exe 42 PID 3000 wrote to memory of 3056 3000 Imjmhkpj.exe 43 PID 3000 wrote to memory of 3056 3000 Imjmhkpj.exe 43 PID 3000 wrote to memory of 3056 3000 Imjmhkpj.exe 43 PID 3000 wrote to memory of 3056 3000 Imjmhkpj.exe 43 PID 3056 wrote to memory of 1756 3056 Ikagogco.exe 44 PID 3056 wrote to memory of 1756 3056 Ikagogco.exe 44 PID 3056 wrote to memory of 1756 3056 Ikagogco.exe 44 PID 3056 wrote to memory of 1756 3056 Ikagogco.exe 44 PID 1756 wrote to memory of 732 1756 Imacijjb.exe 45 PID 1756 wrote to memory of 732 1756 Imacijjb.exe 45 PID 1756 wrote to memory of 732 1756 Imacijjb.exe 45 PID 1756 wrote to memory of 732 1756 Imacijjb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f32096cef418a80d5bf813cf4b6722a0N.exe"C:\Users\Admin\AppData\Local\Temp\f32096cef418a80d5bf813cf4b6722a0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe33⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe34⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe35⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe36⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe37⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe38⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe39⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe40⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Pcpbik32.exeC:\Windows\system32\Pcpbik32.exe41⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe42⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe44⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe45⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe46⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe48⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe49⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe52⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe53⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe58⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe59⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe60⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe61⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe62⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe63⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe64⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe65⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe66⤵PID:1084
-
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe67⤵PID:1684
-
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe69⤵PID:1164
-
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe71⤵PID:2188
-
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe73⤵PID:2656
-
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe74⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe76⤵PID:1848
-
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe77⤵PID:2680
-
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe78⤵PID:2264
-
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe79⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe80⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe81⤵PID:1172
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe82⤵PID:1800
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe83⤵PID:1000
-
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe86⤵PID:1228
-
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe88⤵PID:2460
-
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe89⤵PID:2096
-
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe90⤵PID:2320
-
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe91⤵PID:2740
-
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe92⤵PID:2040
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe94⤵PID:692
-
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe95⤵PID:2552
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe96⤵PID:2144
-
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe97⤵PID:600
-
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe98⤵PID:2992
-
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe99⤵PID:1708
-
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe101⤵PID:2432
-
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe102⤵PID:1940
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe103⤵PID:560
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe104⤵PID:1952
-
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe105⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe106⤵PID:2056
-
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe107⤵PID:1864
-
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe108⤵PID:2064
-
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe109⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe110⤵PID:2700
-
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe112⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe113⤵PID:1880
-
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe114⤵PID:2544
-
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe115⤵PID:2220
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe116⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe117⤵PID:1072
-
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe118⤵PID:2532
-
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe119⤵PID:2640
-
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe120⤵PID:2028
-
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe121⤵
- Drops file in System32 directory
PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-