Analysis
-
max time kernel
51s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
7f034f8f895234d76fed907a1105c890N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7f034f8f895234d76fed907a1105c890N.exe
Resource
win10v2004-20240802-en
General
-
Target
7f034f8f895234d76fed907a1105c890N.exe
-
Size
93KB
-
MD5
7f034f8f895234d76fed907a1105c890
-
SHA1
2c1165c9ff6033680eb4cd945d0d5de8257d9c74
-
SHA256
a4dc505ab55d7e2289f09d8a1742e6f90f7c54206d33bd8b73aee29f09a3e61f
-
SHA512
971ae26d0457e4e4ae01481c38d260880623d50331c88a87a41066b56ad4b142fd5eb30093888e744ec4969a6d8c8e1ca9b099acb49c4caeb394290f65ae3279
-
SSDEEP
1536:cQAhDmLCyiYZi2o4NdqOAngwmJGRF6ZOJhTIpIt5FsaMiwihtIbbpkp:7uDmLhi8i2ourZwmJGRF/TEQ5FdMiwa/
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojddmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgalkcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necogkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdejhfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcbnanl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohfqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobfgdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imnbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfdnihk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egikjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbefcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbajkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oehdan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmegncpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmcchlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllnhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmijmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqlicclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hipmmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcijf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2368 Bleeioil.exe 1856 Bfkifhib.exe 2440 Clgbno32.exe 2776 Cbajkiof.exe 2688 Cepfgdnj.exe 2616 Cljodo32.exe 2636 Cbdgqimc.exe 2748 Ckolek32.exe 1888 Cedpbd32.exe 1624 Ckahkk32.exe 1996 Cpnaca32.exe 2344 Cfhiplmp.exe 1404 Danmmd32.exe 1360 Dbojdmcd.exe 2888 Diibag32.exe 304 Dpcjnabn.exe 3028 Dbafjlaa.exe 2884 Dikogf32.exe 1212 Dljkcb32.exe 1572 Dgoopkgh.exe 984 Dllhhaep.exe 1964 Dojddmec.exe 2192 Diphbfdi.exe 2908 Dhbhmb32.exe 532 Dakmfh32.exe 2664 Degiggjm.exe 2264 Enbnkigh.exe 1528 Eeielfhk.exe 2720 Egjbdo32.exe 2712 Endjaief.exe 1836 Epbfmd32.exe 2692 Egmojnlf.exe 2392 Enfgfh32.exe 3016 Eccpoo32.exe 1420 Elldgehk.exe 236 Edclib32.exe 1828 Efdhpjok.exe 1224 Enkpahon.exe 1204 Fchijone.exe 1080 Fgcejm32.exe 1776 Fqlicclo.exe 2240 Fcjeon32.exe 2236 Fjdnlhco.exe 2668 Fkejcq32.exe 1316 Fhikme32.exe 344 Fmegncpp.exe 1516 Foccjood.exe 852 Fnfcel32.exe 324 Fbbofjnh.exe 576 Fdpkbf32.exe 888 Filgbdfd.exe 2148 Fofpoo32.exe 2672 Fnipkkdl.exe 2796 Fdbhge32.exe 2756 Findhdcb.exe 1972 Fkmqdpce.exe 1728 Gnkmqkbi.exe 1968 Gqiimfam.exe 1552 Gcheib32.exe 1816 Ggcaiqhj.exe 2984 Gjbmelgm.exe 784 Gnmifk32.exe 2932 Gmpjagfa.exe 2480 Gegabegc.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 7f034f8f895234d76fed907a1105c890N.exe 2012 7f034f8f895234d76fed907a1105c890N.exe 2368 Bleeioil.exe 2368 Bleeioil.exe 1856 Bfkifhib.exe 1856 Bfkifhib.exe 2440 Clgbno32.exe 2440 Clgbno32.exe 2776 Cbajkiof.exe 2776 Cbajkiof.exe 2688 Cepfgdnj.exe 2688 Cepfgdnj.exe 2616 Cljodo32.exe 2616 Cljodo32.exe 2636 Cbdgqimc.exe 2636 Cbdgqimc.exe 2748 Ckolek32.exe 2748 Ckolek32.exe 1888 Cedpbd32.exe 1888 Cedpbd32.exe 1624 Ckahkk32.exe 1624 Ckahkk32.exe 1996 Cpnaca32.exe 1996 Cpnaca32.exe 2344 Cfhiplmp.exe 2344 Cfhiplmp.exe 1404 Danmmd32.exe 1404 Danmmd32.exe 1360 Dbojdmcd.exe 1360 Dbojdmcd.exe 2888 Diibag32.exe 2888 Diibag32.exe 304 Dpcjnabn.exe 304 Dpcjnabn.exe 3028 Dbafjlaa.exe 3028 Dbafjlaa.exe 2884 Dikogf32.exe 2884 Dikogf32.exe 1212 Dljkcb32.exe 1212 Dljkcb32.exe 1572 Dgoopkgh.exe 1572 Dgoopkgh.exe 984 Dllhhaep.exe 984 Dllhhaep.exe 1964 Dojddmec.exe 1964 Dojddmec.exe 2192 Diphbfdi.exe 2192 Diphbfdi.exe 2908 Dhbhmb32.exe 2908 Dhbhmb32.exe 532 Dakmfh32.exe 532 Dakmfh32.exe 2664 Degiggjm.exe 2664 Degiggjm.exe 2264 Enbnkigh.exe 2264 Enbnkigh.exe 1528 Eeielfhk.exe 1528 Eeielfhk.exe 2720 Egjbdo32.exe 2720 Egjbdo32.exe 2712 Endjaief.exe 2712 Endjaief.exe 1836 Epbfmd32.exe 1836 Epbfmd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kgfkgo32.dll Fggkcl32.exe File created C:\Windows\SysWOW64\Phbeeddm.dll Hmdhad32.exe File created C:\Windows\SysWOW64\Iedfqeka.exe Ibejdjln.exe File created C:\Windows\SysWOW64\Oncobd32.dll Kpdjaecc.exe File created C:\Windows\SysWOW64\Aakjdo32.exe Aomnhd32.exe File opened for modification C:\Windows\SysWOW64\Niedqnen.exe Nfghdcfj.exe File created C:\Windows\SysWOW64\Ohhmcinf.exe Opaebkmc.exe File created C:\Windows\SysWOW64\Mqdkdffe.dll Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Dfphcj32.exe Dhmhhmlm.exe File created C:\Windows\SysWOW64\Jgfklg32.dll Imahkg32.exe File opened for modification C:\Windows\SysWOW64\Njjcip32.exe Nfoghakb.exe File created C:\Windows\SysWOW64\Ihmpobck.exe Idadnd32.exe File opened for modification C:\Windows\SysWOW64\Cmjdaqgi.exe Cfpldf32.exe File opened for modification C:\Windows\SysWOW64\Nameek32.exe Nnoiio32.exe File opened for modification C:\Windows\SysWOW64\Npaich32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Kncaojfb.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Njfjnpgp.exe Nhgnaehm.exe File created C:\Windows\SysWOW64\Obokcqhk.exe Olebgfao.exe File opened for modification C:\Windows\SysWOW64\Ilofhffj.exe Ijmipn32.exe File created C:\Windows\SysWOW64\Kljabgnh.exe Kfpifm32.exe File opened for modification C:\Windows\SysWOW64\Npmphinm.exe Nnkcpq32.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Lgehno32.exe File created C:\Windows\SysWOW64\Coamkc32.dll Mdghaf32.exe File created C:\Windows\SysWOW64\Accpqnab.dll Necogkbo.exe File created C:\Windows\SysWOW64\Jgcomkpo.dll Nhakcfab.exe File opened for modification C:\Windows\SysWOW64\Pgpgjepk.exe Ppfomk32.exe File created C:\Windows\SysWOW64\Djiqcmnn.dll Njjcip32.exe File created C:\Windows\SysWOW64\Obdojcef.exe Ooicid32.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Nmfbpk32.exe Njhfcp32.exe File created C:\Windows\SysWOW64\Omklkkpl.exe Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Melifl32.exe Mbnljqic.exe File opened for modification C:\Windows\SysWOW64\Mhonngce.exe Meabakda.exe File created C:\Windows\SysWOW64\Fnofjfhk.exe Fkpjnkig.exe File created C:\Windows\SysWOW64\Aebmjo32.dll Hidcef32.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ifgpnmom.exe File opened for modification C:\Windows\SysWOW64\Jfliim32.exe Jdnmma32.exe File created C:\Windows\SysWOW64\Lhiakf32.exe Ljfapjbi.exe File created C:\Windows\SysWOW64\Cepipm32.exe Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Fgldnkkf.exe Fcphnm32.exe File created C:\Windows\SysWOW64\Aoapfe32.dll Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Gcmoda32.exe Gqnbhf32.exe File opened for modification C:\Windows\SysWOW64\Imnbbi32.exe Iegjqk32.exe File created C:\Windows\SysWOW64\Dmhdkdlg.exe Dkigoimd.exe File created C:\Windows\SysWOW64\Ajfgpl32.dll Ddblgn32.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Fncpef32.exe File created C:\Windows\SysWOW64\Nlcgpm32.dll Mnmpdlac.exe File created C:\Windows\SysWOW64\Ojomdoof.exe Ofcqcp32.exe File opened for modification C:\Windows\SysWOW64\Bfkifhib.exe Bleeioil.exe File opened for modification C:\Windows\SysWOW64\Nigafnck.exe Nfidjbdg.exe File opened for modification C:\Windows\SysWOW64\Bjebdfnn.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Mpmhhb32.dll Dllhhaep.exe File created C:\Windows\SysWOW64\Mndmoaog.exe Mlfacfpc.exe File created C:\Windows\SysWOW64\Afgmodel.exe Agdmdg32.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Bqijljfd.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Gfhnjm32.exe Ggfnopfg.exe File created C:\Windows\SysWOW64\Gklodf32.dll Eldglp32.exe File created C:\Windows\SysWOW64\Iidgma32.dll Hgbfnngi.exe File created C:\Windows\SysWOW64\Hfhcoj32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Hcelfiph.dll Mcnbhb32.exe File created C:\Windows\SysWOW64\Dljkcb32.exe Dikogf32.exe File opened for modification C:\Windows\SysWOW64\Hipmmg32.exe Hfbaql32.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Mbbfep32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7972 7936 WerFault.exe 754 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbafjlaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbiaemkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npaich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmfaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gildahhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehdan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioooiack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonldcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbofjnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filgbdfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkkpmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdojcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbojdmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbmelgm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjceldap.dll" Ooicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgph32.dll" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddnjc32.dll" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedaglad.dll" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbdaaci.dll" Hpbdmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomdoof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmecmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibhndp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioakoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqojeand.dll" Gfhnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhdjk32.dll" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpapdk32.dll" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moohhbcf.dll" Njfjnpgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpjfb32.dll" Gbaken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpincmg.dll" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepckd32.dll" 7f034f8f895234d76fed907a1105c890N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilabmedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoddn32.dll" Pdonhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egmojnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daddfpbk.dll" Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inaqlm32.dll" Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enbnkigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afjjed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnofjfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ioakoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgaiobjn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2368 2012 7f034f8f895234d76fed907a1105c890N.exe 30 PID 2012 wrote to memory of 2368 2012 7f034f8f895234d76fed907a1105c890N.exe 30 PID 2012 wrote to memory of 2368 2012 7f034f8f895234d76fed907a1105c890N.exe 30 PID 2012 wrote to memory of 2368 2012 7f034f8f895234d76fed907a1105c890N.exe 30 PID 2368 wrote to memory of 1856 2368 Bleeioil.exe 31 PID 2368 wrote to memory of 1856 2368 Bleeioil.exe 31 PID 2368 wrote to memory of 1856 2368 Bleeioil.exe 31 PID 2368 wrote to memory of 1856 2368 Bleeioil.exe 31 PID 1856 wrote to memory of 2440 1856 Bfkifhib.exe 32 PID 1856 wrote to memory of 2440 1856 Bfkifhib.exe 32 PID 1856 wrote to memory of 2440 1856 Bfkifhib.exe 32 PID 1856 wrote to memory of 2440 1856 Bfkifhib.exe 32 PID 2440 wrote to memory of 2776 2440 Clgbno32.exe 33 PID 2440 wrote to memory of 2776 2440 Clgbno32.exe 33 PID 2440 wrote to memory of 2776 2440 Clgbno32.exe 33 PID 2440 wrote to memory of 2776 2440 Clgbno32.exe 33 PID 2776 wrote to memory of 2688 2776 Cbajkiof.exe 34 PID 2776 wrote to memory of 2688 2776 Cbajkiof.exe 34 PID 2776 wrote to memory of 2688 2776 Cbajkiof.exe 34 PID 2776 wrote to memory of 2688 2776 Cbajkiof.exe 34 PID 2688 wrote to memory of 2616 2688 Cepfgdnj.exe 35 PID 2688 wrote to memory of 2616 2688 Cepfgdnj.exe 35 PID 2688 wrote to memory of 2616 2688 Cepfgdnj.exe 35 PID 2688 wrote to memory of 2616 2688 Cepfgdnj.exe 35 PID 2616 wrote to memory of 2636 2616 Cljodo32.exe 36 PID 2616 wrote to memory of 2636 2616 Cljodo32.exe 36 PID 2616 wrote to memory of 2636 2616 Cljodo32.exe 36 PID 2616 wrote to memory of 2636 2616 Cljodo32.exe 36 PID 2636 wrote to memory of 2748 2636 Cbdgqimc.exe 37 PID 2636 wrote to memory of 2748 2636 Cbdgqimc.exe 37 PID 2636 wrote to memory of 2748 2636 Cbdgqimc.exe 37 PID 2636 wrote to memory of 2748 2636 Cbdgqimc.exe 37 PID 2748 wrote to memory of 1888 2748 Ckolek32.exe 38 PID 2748 wrote to memory of 1888 2748 Ckolek32.exe 38 PID 2748 wrote to memory of 1888 2748 Ckolek32.exe 38 PID 2748 wrote to memory of 1888 2748 Ckolek32.exe 38 PID 1888 wrote to memory of 1624 1888 Cedpbd32.exe 39 PID 1888 wrote to memory of 1624 1888 Cedpbd32.exe 39 PID 1888 wrote to memory of 1624 1888 Cedpbd32.exe 39 PID 1888 wrote to memory of 1624 1888 Cedpbd32.exe 39 PID 1624 wrote to memory of 1996 1624 Ckahkk32.exe 40 PID 1624 wrote to memory of 1996 1624 Ckahkk32.exe 40 PID 1624 wrote to memory of 1996 1624 Ckahkk32.exe 40 PID 1624 wrote to memory of 1996 1624 Ckahkk32.exe 40 PID 1996 wrote to memory of 2344 1996 Cpnaca32.exe 41 PID 1996 wrote to memory of 2344 1996 Cpnaca32.exe 41 PID 1996 wrote to memory of 2344 1996 Cpnaca32.exe 41 PID 1996 wrote to memory of 2344 1996 Cpnaca32.exe 41 PID 2344 wrote to memory of 1404 2344 Cfhiplmp.exe 42 PID 2344 wrote to memory of 1404 2344 Cfhiplmp.exe 42 PID 2344 wrote to memory of 1404 2344 Cfhiplmp.exe 42 PID 2344 wrote to memory of 1404 2344 Cfhiplmp.exe 42 PID 1404 wrote to memory of 1360 1404 Danmmd32.exe 43 PID 1404 wrote to memory of 1360 1404 Danmmd32.exe 43 PID 1404 wrote to memory of 1360 1404 Danmmd32.exe 43 PID 1404 wrote to memory of 1360 1404 Danmmd32.exe 43 PID 1360 wrote to memory of 2888 1360 Dbojdmcd.exe 44 PID 1360 wrote to memory of 2888 1360 Dbojdmcd.exe 44 PID 1360 wrote to memory of 2888 1360 Dbojdmcd.exe 44 PID 1360 wrote to memory of 2888 1360 Dbojdmcd.exe 44 PID 2888 wrote to memory of 304 2888 Diibag32.exe 45 PID 2888 wrote to memory of 304 2888 Diibag32.exe 45 PID 2888 wrote to memory of 304 2888 Diibag32.exe 45 PID 2888 wrote to memory of 304 2888 Diibag32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f034f8f895234d76fed907a1105c890N.exe"C:\Users\Admin\AppData\Local\Temp\7f034f8f895234d76fed907a1105c890N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe36⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe37⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe38⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe40⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe41⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe43⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe44⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe45⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe46⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe48⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe49⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe51⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe53⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe54⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe56⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe57⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe58⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe60⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe61⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe64⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe65⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe67⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe68⤵PID:2316
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe69⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe70⤵PID:2504
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe71⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe73⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe74⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe76⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe77⤵PID:1820
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe78⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe79⤵PID:848
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe80⤵PID:2464
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe81⤵PID:2088
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe82⤵PID:2168
-
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe83⤵
- System Location Discovery: System Language Discovery
PID:404 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe84⤵PID:1660
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe88⤵PID:1532
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe89⤵PID:2280
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe90⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe91⤵PID:1808
-
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe92⤵PID:2016
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe93⤵PID:2068
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe94⤵PID:2880
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe95⤵PID:464
-
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe96⤵PID:444
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe97⤵PID:1716
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe98⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe99⤵PID:1584
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe100⤵PID:828
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe101⤵PID:1804
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe102⤵PID:2864
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe103⤵PID:2604
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe104⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe105⤵PID:2028
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe106⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe107⤵PID:1032
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe109⤵PID:1304
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe110⤵PID:2792
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe111⤵PID:2124
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe112⤵PID:1840
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe114⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe115⤵PID:2716
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe116⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe117⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe118⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe120⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe121⤵PID:2388
-
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe122⤵
- System Location Discovery: System Language Discovery
PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-