Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 20:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe
-
Size
96KB
-
MD5
c8711a2b0fefef6ab2c6971d0f3e87b3
-
SHA1
5033a3e64614cb7bca7d12b3fd31699d0e4f4f69
-
SHA256
3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e
-
SHA512
8567265604e770f23a7048f5ef36e39c0ccd554333570e8e5600143136809e226e7017c0e8f55ecbe4cd38b6b8a48af3e3a0a7bd04a6c5aed1af7fa3e6717a0b
-
SSDEEP
1536:pUS/msrUT18CbuBpiZF5MSEb3uKH2Lk1BPXuhiTMuZXGTIVefVDkryyAyqX:p//msoTaeuXif5MSEb31saBPXuhuXGQi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Denknngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcahgjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qonlhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcokaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklaepbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfhjfdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffabman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfgpgmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mognco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jficbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nliqoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blplkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmfiefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmcelkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Encchoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoonqmqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcaaahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lheilofe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faefim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnnmboa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokahhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppegdapd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmiahlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefmnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjehngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhkpcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mganfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhldahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdjedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feklja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eokiabjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbhmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjiik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkphmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgpfjbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbfpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjngnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbhco32.exe -
Executes dropped EXE 64 IoCs
pid Process 2040 Jdogldmo.exe 2792 Jkioho32.exe 2920 Jgppmpjp.exe 2604 Jknicnpf.exe 2632 Kmoekf32.exe 1804 Knoaeimg.exe 2840 Kfjfik32.exe 868 Kflcok32.exe 1016 Kioiffcn.exe 3044 Lnlaomae.exe 328 Lehfafgp.exe 1164 Lekcffem.exe 2228 Laackgka.exe 2348 Mioeeifi.exe 2104 Miaaki32.exe 2644 Mfebdm32.exe 1740 Mhikae32.exe 3020 Mhkhgd32.exe 760 Noepdo32.exe 2060 Nhnemdbf.exe 1012 Nogmin32.exe 1652 Ncjbba32.exe 1456 Nickoldp.exe 384 Nmacej32.exe 2500 Ohkdfhge.exe 1960 Ohmalgeb.exe 2776 Occeip32.exe 2696 Ohpnag32.exe 2728 Okqgcb32.exe 2804 Okcchbnn.exe 2640 Pcnhmdli.exe 2192 Pnfipm32.exe 2200 Pgnnhbpm.exe 2772 Poibmdmh.exe 2832 Pkpcbecl.exe 2344 Pffgonbb.exe 3060 Qonlhd32.exe 560 Aglmbfdk.exe 2880 Agqfme32.exe 2416 Bafkookd.exe 968 Bomhnb32.exe 1384 Cfhlbe32.exe 1728 Cmaeoo32.exe 1380 Cfjihdcc.exe 1108 Cmdaeo32.exe 2204 Cglfndaa.exe 1492 Cmfnjnin.exe 2924 Cgobcd32.exe 2080 Cpgglifo.exe 1116 Cedpdpdf.exe 1988 Dchpnd32.exe 1700 Dibhjokm.exe 2968 Dkcebg32.exe 2188 Dcjmcd32.exe 2124 Ddliklgk.exe 2808 Dndndbnl.exe 2168 Dglbmg32.exe 2400 Dnfjiali.exe 2756 Ddpbfl32.exe 2372 Djmknb32.exe 1792 Ddbolkac.exe 2100 Ejohdbok.exe 2132 Elndpnnn.exe 2156 Effhic32.exe -
Loads dropped DLL 64 IoCs
pid Process 1992 3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe 1992 3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe 2040 Jdogldmo.exe 2040 Jdogldmo.exe 2792 Jkioho32.exe 2792 Jkioho32.exe 2920 Jgppmpjp.exe 2920 Jgppmpjp.exe 2604 Jknicnpf.exe 2604 Jknicnpf.exe 2632 Kmoekf32.exe 2632 Kmoekf32.exe 1804 Knoaeimg.exe 1804 Knoaeimg.exe 2840 Kfjfik32.exe 2840 Kfjfik32.exe 868 Kflcok32.exe 868 Kflcok32.exe 1016 Kioiffcn.exe 1016 Kioiffcn.exe 3044 Lnlaomae.exe 3044 Lnlaomae.exe 328 Lehfafgp.exe 328 Lehfafgp.exe 1164 Lekcffem.exe 1164 Lekcffem.exe 2228 Laackgka.exe 2228 Laackgka.exe 2348 Mioeeifi.exe 2348 Mioeeifi.exe 2104 Miaaki32.exe 2104 Miaaki32.exe 2644 Mfebdm32.exe 2644 Mfebdm32.exe 1740 Mhikae32.exe 1740 Mhikae32.exe 3020 Mhkhgd32.exe 3020 Mhkhgd32.exe 760 Noepdo32.exe 760 Noepdo32.exe 2060 Nhnemdbf.exe 2060 Nhnemdbf.exe 1012 Nogmin32.exe 1012 Nogmin32.exe 1652 Ncjbba32.exe 1652 Ncjbba32.exe 1456 Nickoldp.exe 1456 Nickoldp.exe 384 Nmacej32.exe 384 Nmacej32.exe 2500 Ohkdfhge.exe 2500 Ohkdfhge.exe 1960 Ohmalgeb.exe 1960 Ohmalgeb.exe 2776 Occeip32.exe 2776 Occeip32.exe 2696 Ohpnag32.exe 2696 Ohpnag32.exe 2728 Okqgcb32.exe 2728 Okqgcb32.exe 2804 Okcchbnn.exe 2804 Okcchbnn.exe 2640 Pcnhmdli.exe 2640 Pcnhmdli.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dkbnhq32.exe Dpmjjhmi.exe File opened for modification C:\Windows\SysWOW64\Encchoml.exe Ehfkphnd.exe File created C:\Windows\SysWOW64\Ifghji32.dll Jkjaaglp.exe File opened for modification C:\Windows\SysWOW64\Kgjelg32.exe Kppmpmal.exe File created C:\Windows\SysWOW64\Ojdciphb.dll Fdggofgn.exe File opened for modification C:\Windows\SysWOW64\Lpjiik32.exe Lcfhpf32.exe File created C:\Windows\SysWOW64\Ebofcd32.exe Eqnillbb.exe File opened for modification C:\Windows\SysWOW64\Nilndfgl.exe Nfmahkhh.exe File created C:\Windows\SysWOW64\Lagknhgp.dll Blplkp32.exe File created C:\Windows\SysWOW64\Gacdmc32.dll Gemhpq32.exe File created C:\Windows\SysWOW64\Hohfmi32.exe Hcaehhnd.exe File created C:\Windows\SysWOW64\Eincmega.dll Bglghdbc.exe File created C:\Windows\SysWOW64\Jbkhcg32.exe Jkqpfmje.exe File opened for modification C:\Windows\SysWOW64\Boiagp32.exe Bljeke32.exe File created C:\Windows\SysWOW64\Fbebcp32.exe Flkjffkm.exe File opened for modification C:\Windows\SysWOW64\Nhbnjpic.exe Noiiaj32.exe File created C:\Windows\SysWOW64\Ldlipnke.dll Fbfldc32.exe File created C:\Windows\SysWOW64\Efnnjm32.dll Dmljnfll.exe File opened for modification C:\Windows\SysWOW64\Mfakbf32.exe Mmifiahi.exe File opened for modification C:\Windows\SysWOW64\Hpmdjf32.exe Hfdpaqej.exe File opened for modification C:\Windows\SysWOW64\Cngfqi32.exe Ciknhb32.exe File created C:\Windows\SysWOW64\Qmffaheh.dll Chfffk32.exe File opened for modification C:\Windows\SysWOW64\Pgacaaij.exe Pdajpf32.exe File created C:\Windows\SysWOW64\Pfaokb32.dll Dkbnhq32.exe File created C:\Windows\SysWOW64\Bmghlppm.dll Kfkjnh32.exe File opened for modification C:\Windows\SysWOW64\Kfnpgg32.exe Kaojiqej.exe File created C:\Windows\SysWOW64\Hlebog32.exe Hfhjfp32.exe File created C:\Windows\SysWOW64\Fnelmb32.exe Ffjghppi.exe File created C:\Windows\SysWOW64\Offlpgfp.dll Nkphmc32.exe File created C:\Windows\SysWOW64\Dogbolep.exe Dbqajk32.exe File opened for modification C:\Windows\SysWOW64\Faonqiod.exe Flbehbqm.exe File created C:\Windows\SysWOW64\Ocdohdfc.exe Oafclh32.exe File created C:\Windows\SysWOW64\Blmikkle.exe Bgqqcd32.exe File opened for modification C:\Windows\SysWOW64\Mmigdend.exe Mpegka32.exe File created C:\Windows\SysWOW64\Fpanpn32.dll Ndeifbfj.exe File opened for modification C:\Windows\SysWOW64\Mhckloge.exe Mganfp32.exe File created C:\Windows\SysWOW64\Ffjghppi.exe Fkdckgpc.exe File created C:\Windows\SysWOW64\Ijklmn32.exe Ipbgci32.exe File created C:\Windows\SysWOW64\Jhobea32.dll Dheljhof.exe File created C:\Windows\SysWOW64\Eqejjj32.exe Ddoiei32.exe File opened for modification C:\Windows\SysWOW64\Cbagdq32.exe Ckgogfmg.exe File created C:\Windows\SysWOW64\Fijadk32.exe Eiheok32.exe File created C:\Windows\SysWOW64\Ijcmipjh.exe Heedbbdb.exe File opened for modification C:\Windows\SysWOW64\Pncllifp.exe Pdkgcd32.exe File created C:\Windows\SysWOW64\Eqpfchka.exe Emdjbi32.exe File opened for modification C:\Windows\SysWOW64\Bcgoolln.exe Bqhbcqmj.exe File opened for modification C:\Windows\SysWOW64\Efbpihoo.exe Ephhmn32.exe File created C:\Windows\SysWOW64\Gfgpgmql.exe Gomhkb32.exe File created C:\Windows\SysWOW64\Lhhjcmpj.exe Lckbkfbb.exe File created C:\Windows\SysWOW64\Hdcebagp.exe Hgpeimhf.exe File created C:\Windows\SysWOW64\Ojlkonpb.exe Oqcffi32.exe File created C:\Windows\SysWOW64\Ofhefe32.dll Lpiqel32.exe File created C:\Windows\SysWOW64\Cedpdpdf.exe Cpgglifo.exe File opened for modification C:\Windows\SysWOW64\Mginjnnp.exe Mpnifkae.exe File created C:\Windows\SysWOW64\Hjdbckib.dll Jkfnaa32.exe File created C:\Windows\SysWOW64\Mkcagn32.exe Makmnh32.exe File created C:\Windows\SysWOW64\Kfjhfboi.dll Makmnh32.exe File created C:\Windows\SysWOW64\Fcjeakfd.exe Fnmmidhm.exe File created C:\Windows\SysWOW64\Kjakhcne.exe Jddbpmpm.exe File created C:\Windows\SysWOW64\Imfdhdkf.dll Npffaq32.exe File created C:\Windows\SysWOW64\Jpndkj32.exe Jehpna32.exe File opened for modification C:\Windows\SysWOW64\Akhkkmdh.exe Andkbien.exe File opened for modification C:\Windows\SysWOW64\Ieqbbl32.exe Ibbffq32.exe File created C:\Windows\SysWOW64\Gkaghf32.exe Gpkckneh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5076 2908 WerFault.exe 1032 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilpmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpcbecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjehngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnbccia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfdffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhjbjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcobdgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnacbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbenlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjgag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqaonnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofklbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Campbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdmee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iankbldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpaoape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmahog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiheok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpnag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjjcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbbod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmaeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnonjqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdlgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfipj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhkbqea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiocfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obonfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbeqjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjihdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmofeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmehqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdblkoco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijadk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcfpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jccjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfoon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicmlpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egljjmkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppegdapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noiiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbjgq32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akhkkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpene32.dll" Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gechnn32.dll" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpghnp.dll" Ddliklgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhlgpao.dll" Fmdfppkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamibjoj.dll" Lfaocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfglbp32.dll" Jccjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomhkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhjijpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkpieggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnibl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalldh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepkfbia.dll" Jeofnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccffm32.dll" Gpfbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglpbp32.dll" Picdejbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdabcij.dll" Fpncbjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbcdjpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikmdack.dll" Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egfglocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciknhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npqbka32.dll" Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behnkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfkjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdljncel.dll" Kbajci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noepdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcfflb.dll" Egfglocf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajlabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmppilc.dll" Plkchdiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojinqngj.dll" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnhmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibadnhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgmon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pikkfilp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmifiahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflobh32.dll" Phgfko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goekpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfgahao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iceiibef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmepl32.dll" Cmfnjnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpggg32.dll" Hnjagdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdcihfiq.dll" Kaillp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opkpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqneaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagknhgp.dll" Blplkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgeopqfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofilmn32.dll" Mookod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbckhmc.dll" Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbaloh.dll" Hgknffcp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2040 1992 3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe 30 PID 1992 wrote to memory of 2040 1992 3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe 30 PID 1992 wrote to memory of 2040 1992 3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe 30 PID 1992 wrote to memory of 2040 1992 3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe 30 PID 2040 wrote to memory of 2792 2040 Jdogldmo.exe 31 PID 2040 wrote to memory of 2792 2040 Jdogldmo.exe 31 PID 2040 wrote to memory of 2792 2040 Jdogldmo.exe 31 PID 2040 wrote to memory of 2792 2040 Jdogldmo.exe 31 PID 2792 wrote to memory of 2920 2792 Jkioho32.exe 32 PID 2792 wrote to memory of 2920 2792 Jkioho32.exe 32 PID 2792 wrote to memory of 2920 2792 Jkioho32.exe 32 PID 2792 wrote to memory of 2920 2792 Jkioho32.exe 32 PID 2920 wrote to memory of 2604 2920 Jgppmpjp.exe 33 PID 2920 wrote to memory of 2604 2920 Jgppmpjp.exe 33 PID 2920 wrote to memory of 2604 2920 Jgppmpjp.exe 33 PID 2920 wrote to memory of 2604 2920 Jgppmpjp.exe 33 PID 2604 wrote to memory of 2632 2604 Jknicnpf.exe 34 PID 2604 wrote to memory of 2632 2604 Jknicnpf.exe 34 PID 2604 wrote to memory of 2632 2604 Jknicnpf.exe 34 PID 2604 wrote to memory of 2632 2604 Jknicnpf.exe 34 PID 2632 wrote to memory of 1804 2632 Kmoekf32.exe 35 PID 2632 wrote to memory of 1804 2632 Kmoekf32.exe 35 PID 2632 wrote to memory of 1804 2632 Kmoekf32.exe 35 PID 2632 wrote to memory of 1804 2632 Kmoekf32.exe 35 PID 1804 wrote to memory of 2840 1804 Knoaeimg.exe 36 PID 1804 wrote to memory of 2840 1804 Knoaeimg.exe 36 PID 1804 wrote to memory of 2840 1804 Knoaeimg.exe 36 PID 1804 wrote to memory of 2840 1804 Knoaeimg.exe 36 PID 2840 wrote to memory of 868 2840 Kfjfik32.exe 37 PID 2840 wrote to memory of 868 2840 Kfjfik32.exe 37 PID 2840 wrote to memory of 868 2840 Kfjfik32.exe 37 PID 2840 wrote to memory of 868 2840 Kfjfik32.exe 37 PID 868 wrote to memory of 1016 868 Kflcok32.exe 38 PID 868 wrote to memory of 1016 868 Kflcok32.exe 38 PID 868 wrote to memory of 1016 868 Kflcok32.exe 38 PID 868 wrote to memory of 1016 868 Kflcok32.exe 38 PID 1016 wrote to memory of 3044 1016 Kioiffcn.exe 39 PID 1016 wrote to memory of 3044 1016 Kioiffcn.exe 39 PID 1016 wrote to memory of 3044 1016 Kioiffcn.exe 39 PID 1016 wrote to memory of 3044 1016 Kioiffcn.exe 39 PID 3044 wrote to memory of 328 3044 Lnlaomae.exe 40 PID 3044 wrote to memory of 328 3044 Lnlaomae.exe 40 PID 3044 wrote to memory of 328 3044 Lnlaomae.exe 40 PID 3044 wrote to memory of 328 3044 Lnlaomae.exe 40 PID 328 wrote to memory of 1164 328 Lehfafgp.exe 41 PID 328 wrote to memory of 1164 328 Lehfafgp.exe 41 PID 328 wrote to memory of 1164 328 Lehfafgp.exe 41 PID 328 wrote to memory of 1164 328 Lehfafgp.exe 41 PID 1164 wrote to memory of 2228 1164 Lekcffem.exe 42 PID 1164 wrote to memory of 2228 1164 Lekcffem.exe 42 PID 1164 wrote to memory of 2228 1164 Lekcffem.exe 42 PID 1164 wrote to memory of 2228 1164 Lekcffem.exe 42 PID 2228 wrote to memory of 2348 2228 Laackgka.exe 43 PID 2228 wrote to memory of 2348 2228 Laackgka.exe 43 PID 2228 wrote to memory of 2348 2228 Laackgka.exe 43 PID 2228 wrote to memory of 2348 2228 Laackgka.exe 43 PID 2348 wrote to memory of 2104 2348 Mioeeifi.exe 44 PID 2348 wrote to memory of 2104 2348 Mioeeifi.exe 44 PID 2348 wrote to memory of 2104 2348 Mioeeifi.exe 44 PID 2348 wrote to memory of 2104 2348 Mioeeifi.exe 44 PID 2104 wrote to memory of 2644 2104 Miaaki32.exe 45 PID 2104 wrote to memory of 2644 2104 Miaaki32.exe 45 PID 2104 wrote to memory of 2644 2104 Miaaki32.exe 45 PID 2104 wrote to memory of 2644 2104 Miaaki32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe"C:\Users\Admin\AppData\Local\Temp\3721c1b3c0bb51b69c85376a3004ce0e39870e0b60f653e63e8f26b2b59c681e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Jgppmpjp.exeC:\Windows\system32\Jgppmpjp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Knoaeimg.exeC:\Windows\system32\Knoaeimg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Kioiffcn.exeC:\Windows\system32\Kioiffcn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Lehfafgp.exeC:\Windows\system32\Lehfafgp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Mhkhgd32.exeC:\Windows\system32\Mhkhgd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Nhnemdbf.exeC:\Windows\system32\Nhnemdbf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Occeip32.exeC:\Windows\system32\Occeip32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe33⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe34⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe35⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe37⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Aglmbfdk.exeC:\Windows\system32\Aglmbfdk.exe39⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe40⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe41⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe42⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe43⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe46⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe47⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe49⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe51⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe52⤵PID:2976
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe54⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe56⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe58⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe60⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe61⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe62⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe63⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe64⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Elndpnnn.exeC:\Windows\system32\Elndpnnn.exe65⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe66⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe67⤵PID:3048
-
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe68⤵PID:580
-
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe69⤵PID:888
-
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe70⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe72⤵PID:1596
-
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe73⤵PID:2704
-
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe74⤵PID:2592
-
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe76⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe78⤵PID:2908
-
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe79⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe80⤵PID:1764
-
C:\Windows\SysWOW64\Fnoiocfj.exeC:\Windows\system32\Fnoiocfj.exe81⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe82⤵PID:2364
-
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe83⤵PID:1360
-
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe84⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe85⤵PID:1540
-
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe86⤵PID:1608
-
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe87⤵PID:1376
-
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe88⤵PID:1692
-
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe89⤵PID:2256
-
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe90⤵PID:2352
-
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe91⤵PID:2892
-
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe93⤵PID:2960
-
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe94⤵PID:2964
-
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe95⤵PID:2196
-
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe96⤵PID:684
-
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe97⤵PID:2336
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe99⤵PID:1028
-
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe100⤵PID:2044
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe101⤵PID:2656
-
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe102⤵PID:2076
-
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe103⤵PID:2724
-
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe104⤵PID:2884
-
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe105⤵PID:2896
-
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe106⤵PID:2800
-
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe107⤵PID:2116
-
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe108⤵PID:2148
-
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe109⤵PID:2260
-
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe110⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe111⤵PID:1732
-
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe112⤵PID:2404
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe114⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe115⤵PID:2988
-
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe116⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe117⤵PID:2180
-
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe118⤵PID:2820
-
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe119⤵PID:2340
-
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe120⤵PID:2360
-
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe121⤵PID:2408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-