Analysis
-
max time kernel
142s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 01:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe
-
Size
386KB
-
MD5
1cf434f88386b0a00a9bc578555d9855
-
SHA1
6780334c5448922d386247d5b9442cb352445e18
-
SHA256
c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06
-
SHA512
d1ce1abe70c0af1df653558d89d78448eac20b3b8986df5cf274b74a87e35bbf261f725fc1b88868d44323d96d1e0108714b11d09f9fe8dbc680ad5ed239a9a8
-
SSDEEP
6144:LUbpQWBqhdhs7wQIc72nxvG7rbxmPVvRqlfJg9i4s7wQIc72nxvG7rbxmPV:LR2wQZ7287xmPFRkfJg9qwQZ7287xmP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Didiclbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgaibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojnol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohleappp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnclbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahkngdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhoochcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkfqbgni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdlbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbqabl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdabfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfgmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehpoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhippbem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmhnmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haeajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpamhbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgineko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodbopmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfipcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnlhibff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfadgqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaqgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iddieoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geefejne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbjledoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilpblb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enaocnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnocgnoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbohomdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dngcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lifdec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqimfdni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabjim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenccdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgiipqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onadck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajeloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habgqehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Limjeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfdcjnbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbllhiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egomgcnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dncmaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlemaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adagjagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioinchpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljafifbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okimnfkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaleoef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbagfdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmoagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbjidmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcgpmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjlhcegl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfhmo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 Ihehbpel.exe 2096 Idligq32.exe 2184 Iiiapg32.exe 2644 Jibdff32.exe 2900 Kabbehjb.exe 2588 Kjngjj32.exe 2616 Kgahcn32.exe 2524 Kchhholk.exe 2336 Lhodgebh.exe 2640 Lqjhkg32.exe 2440 Lbieejff.exe 2888 Ljdjildq.exe 2328 Mloigc32.exe 1056 Miciqgqn.exe 2288 Njiocobg.exe 2240 Neocahbm.exe 1172 Nmjhejph.exe 1648 Olablfbm.exe 2416 Pmnnomnn.exe 2964 Phcbmend.exe 1964 Pgionbbl.exe 2284 Pdmpgfae.exe 1856 Qcgfcbbh.exe 2624 Aopcnbfj.exe 1600 Akfdcckn.exe 1208 Agmehd32.exe 2268 Aqfiqjgb.exe 2732 Bqhffj32.exe 2648 Bfeonq32.exe 2712 Bqjcli32.exe 800 Biegpl32.exe 2932 Bkfqbgni.exe 2804 Bbpioa32.exe 2540 Bngicb32.exe 2156 Cjnjhcqo.exe 2912 Cbpendha.exe 2256 Dajkjphd.exe 2840 Dbihccpg.exe 964 Dehdpnok.exe 2320 Dkelhemb.exe 2824 Ddmaak32.exe 2056 Ekgineko.exe 852 Eaaajo32.exe 2332 Edpnfjap.exe 1812 Eacnpoqi.exe 1988 Egpfheoa.exe 832 Ephkak32.exe 1508 Ecidbfbb.exe 876 Eehpoaaf.exe 2364 Epmdljal.exe 2772 Fejmda32.exe 2960 Fcnmne32.exe 2028 Fdojendk.exe 2800 Feofpqkn.exe 1868 Fklohgie.exe 2560 Fddcqm32.exe 2768 Fnlhibff.exe 1428 Fkphcg32.exe 1700 Gqmqkn32.exe 2784 Gjeedcjh.exe 2192 Gqomqm32.exe 2228 Gjhbic32.exe 1340 Gbcgne32.exe 1140 Gjjoob32.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe 1756 c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe 2272 Ihehbpel.exe 2272 Ihehbpel.exe 2096 Idligq32.exe 2096 Idligq32.exe 2184 Iiiapg32.exe 2184 Iiiapg32.exe 2644 Jibdff32.exe 2644 Jibdff32.exe 2900 Kabbehjb.exe 2900 Kabbehjb.exe 2588 Kjngjj32.exe 2588 Kjngjj32.exe 2616 Kgahcn32.exe 2616 Kgahcn32.exe 2524 Kchhholk.exe 2524 Kchhholk.exe 2336 Lhodgebh.exe 2336 Lhodgebh.exe 2640 Lqjhkg32.exe 2640 Lqjhkg32.exe 2440 Lbieejff.exe 2440 Lbieejff.exe 2888 Ljdjildq.exe 2888 Ljdjildq.exe 2328 Mloigc32.exe 2328 Mloigc32.exe 1056 Miciqgqn.exe 1056 Miciqgqn.exe 2288 Njiocobg.exe 2288 Njiocobg.exe 2240 Neocahbm.exe 2240 Neocahbm.exe 1172 Nmjhejph.exe 1172 Nmjhejph.exe 1648 Olablfbm.exe 1648 Olablfbm.exe 2416 Pmnnomnn.exe 2416 Pmnnomnn.exe 2964 Phcbmend.exe 2964 Phcbmend.exe 1964 Pgionbbl.exe 1964 Pgionbbl.exe 2284 Pdmpgfae.exe 2284 Pdmpgfae.exe 1856 Qcgfcbbh.exe 1856 Qcgfcbbh.exe 2624 Aopcnbfj.exe 2624 Aopcnbfj.exe 1600 Akfdcckn.exe 1600 Akfdcckn.exe 1208 Agmehd32.exe 1208 Agmehd32.exe 2268 Aqfiqjgb.exe 2268 Aqfiqjgb.exe 2732 Bqhffj32.exe 2732 Bqhffj32.exe 2648 Bfeonq32.exe 2648 Bfeonq32.exe 2712 Bqjcli32.exe 2712 Bqjcli32.exe 800 Biegpl32.exe 800 Biegpl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apnqpdpb.dll Kfekch32.exe File created C:\Windows\SysWOW64\Iilnjg32.dll Bjmdhmne.exe File created C:\Windows\SysWOW64\Adkaib32.exe Alpmep32.exe File opened for modification C:\Windows\SysWOW64\Agkjknji.exe Akdjfmed.exe File created C:\Windows\SysWOW64\Bfeqgikk.exe Bphhobmd.exe File opened for modification C:\Windows\SysWOW64\Agclbdll.exe Acfcme32.exe File opened for modification C:\Windows\SysWOW64\Gjcijh32.exe Gdgdhnml.exe File opened for modification C:\Windows\SysWOW64\Olmledda.exe Oiopihen.exe File opened for modification C:\Windows\SysWOW64\Gljaehlb.exe Gepiin32.exe File created C:\Windows\SysWOW64\Ejggepfl.exe Ehhjkm32.exe File opened for modification C:\Windows\SysWOW64\Iabjim32.exe Hjfegc32.exe File created C:\Windows\SysWOW64\Bnpoaeek.exe Bedjmcgp.exe File created C:\Windows\SysWOW64\Bkdokjdd.exe Bnpoaeek.exe File created C:\Windows\SysWOW64\Bcjefj32.dll Iolacn32.exe File created C:\Windows\SysWOW64\Abpjia32.exe Abmmca32.exe File created C:\Windows\SysWOW64\Leoofkdo.exe Lodgja32.exe File opened for modification C:\Windows\SysWOW64\Fpcbik32.exe Femnkb32.exe File created C:\Windows\SysWOW64\Joenqe32.dll Beelel32.exe File opened for modification C:\Windows\SysWOW64\Dppopfhp.exe Cmofok32.exe File created C:\Windows\SysWOW64\Hodpfg32.exe Hjggnp32.exe File opened for modification C:\Windows\SysWOW64\Fdbidfjm.exe Femlbjee.exe File created C:\Windows\SysWOW64\Onelkh32.dll Hnclbn32.exe File opened for modification C:\Windows\SysWOW64\Knidfm32.exe Kmjhljoo.exe File created C:\Windows\SysWOW64\Ddhgce32.dll Ibhple32.exe File created C:\Windows\SysWOW64\Pgjhjk32.dll Meakdgll.exe File created C:\Windows\SysWOW64\Pphmjp32.exe Pdaleoef.exe File created C:\Windows\SysWOW64\Kehjpd32.exe Kkcfbkfj.exe File opened for modification C:\Windows\SysWOW64\Pdkejo32.exe Pajlidnk.exe File opened for modification C:\Windows\SysWOW64\Iodnncol.exe Ifljem32.exe File created C:\Windows\SysWOW64\Cfcbpf32.dll Nljflekd.exe File created C:\Windows\SysWOW64\Eiajbl32.dll Mddjpbgl.exe File opened for modification C:\Windows\SysWOW64\Fnnhbkmj.exe Fkplfpnf.exe File created C:\Windows\SysWOW64\Nenokaeg.dll Cnjkkc32.exe File created C:\Windows\SysWOW64\Bpppik32.dll Fdockgqp.exe File created C:\Windows\SysWOW64\Joqibccd.dll Kdabfp32.exe File created C:\Windows\SysWOW64\Qjjkdj32.exe Qmfkjfnb.exe File created C:\Windows\SysWOW64\Mdpldb32.dll Geobnh32.exe File created C:\Windows\SysWOW64\Benoapld.dll Lhlehppg.exe File created C:\Windows\SysWOW64\Pkchgd32.exe Pbkdoogb.exe File opened for modification C:\Windows\SysWOW64\Hijhea32.exe Hacqdd32.exe File created C:\Windows\SysWOW64\Eiabbicf.exe Eafmng32.exe File opened for modification C:\Windows\SysWOW64\Oglgji32.exe Ojhgad32.exe File created C:\Windows\SysWOW64\Oihclk32.exe Oqmohi32.exe File opened for modification C:\Windows\SysWOW64\Kqpcgcga.exe Joqgmppo.exe File created C:\Windows\SysWOW64\Oldeje32.dll Mbqabl32.exe File opened for modification C:\Windows\SysWOW64\Ionigpcn.exe Ijqqqamh.exe File created C:\Windows\SysWOW64\Aohoja32.dll Fgaibb32.exe File opened for modification C:\Windows\SysWOW64\Mkekeqjl.exe Monjpp32.exe File opened for modification C:\Windows\SysWOW64\Gbakdjnn.exe Glgbgp32.exe File created C:\Windows\SysWOW64\Nljflekd.exe Ncaacp32.exe File created C:\Windows\SysWOW64\Ogfcbb32.exe Okocmapl.exe File opened for modification C:\Windows\SysWOW64\Cgenbadb.exe Cdgbeeen.exe File created C:\Windows\SysWOW64\Fhoochcq.exe Fcbfka32.exe File created C:\Windows\SysWOW64\Jggdqipm.dll Bqjcli32.exe File opened for modification C:\Windows\SysWOW64\Fpngec32.exe Eiabbicf.exe File created C:\Windows\SysWOW64\Dccbohlj.exe Dlijbn32.exe File created C:\Windows\SysWOW64\Oijlfp32.dll Ncjkcqjl.exe File created C:\Windows\SysWOW64\Ekhclh32.exe Ejggepfl.exe File opened for modification C:\Windows\SysWOW64\Bcbllc32.exe Bnfcclhq.exe File created C:\Windows\SysWOW64\Dlnfff32.exe Dojelbib.exe File opened for modification C:\Windows\SysWOW64\Debcjiod.exe Dnfoho32.exe File created C:\Windows\SysWOW64\Jandikbp.exe Jfhpkbbj.exe File opened for modification C:\Windows\SysWOW64\Lplqoiai.exe Leflapab.exe File created C:\Windows\SysWOW64\Dngcjp32.exe Dkfjhela.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 112 4976 WerFault.exe 892 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfcclhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepphdkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnjhcqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppgfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feblho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkicfik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdenaded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjneceek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenige32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgacebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijmanoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doejhjfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejggepfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakfkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlhibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqcjiaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbbbhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkiopock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmecgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjledoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmjeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkokq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olablfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feofpqkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihclk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibdkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbngdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjamkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iffggo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgdhnml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkenmidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenfem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifdog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkgkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjfielh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnffoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqfpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcjceam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febgfbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdabfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpqkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgnmlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhdlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpoaeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbdjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jejjlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciqdenjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkdkbjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephkak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najhngpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlimkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnnomnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimccigq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcbmend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkelhemb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbjledoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldebcach.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfaokckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfmppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdlbqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hakcinfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkmjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihnhjna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfddfjmg.dll" Hfgbbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khgidhlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Monjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojgdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcjenkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imekobfb.dll" Fkphcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pengmqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkici32.dll" Pjccjblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfekch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mljlfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfhpkbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqmljind.dll" Leflapab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kphmnojf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfjdnggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmfikdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmqdhkm.dll" Mabkcbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkcjchco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anbmoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgjile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqdailia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilqdejhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maehib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnejanim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfgego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maebpq32.dll" Njiocobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feofpqkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enfinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gialihan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnifkfoj.dll" Bcaqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihbfkln.dll" Hicbdbjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlnfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djjlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benoapld.dll" Lhlehppg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkchgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnemk32.dll" Mfjamkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obqhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjlcc32.dll" Kphmnojf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcpaebn.dll" Ekhclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afpefd32.dll" Khbpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbbppoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlifcag.dll" Feofpqkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmholj32.dll" Iabjim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqlkl32.dll" Ibklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlgan32.dll" Hmjgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhfckc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mohfimgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Donmohni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpmcm32.dll" Lfmhnmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldeje32.dll" Mbqabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpqfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokcondd.dll" Diepifmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiakhe32.dll" Hcdppdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehklpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alponiga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmjoip32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2272 1756 c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe 29 PID 1756 wrote to memory of 2272 1756 c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe 29 PID 1756 wrote to memory of 2272 1756 c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe 29 PID 1756 wrote to memory of 2272 1756 c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe 29 PID 2272 wrote to memory of 2096 2272 Ihehbpel.exe 30 PID 2272 wrote to memory of 2096 2272 Ihehbpel.exe 30 PID 2272 wrote to memory of 2096 2272 Ihehbpel.exe 30 PID 2272 wrote to memory of 2096 2272 Ihehbpel.exe 30 PID 2096 wrote to memory of 2184 2096 Idligq32.exe 31 PID 2096 wrote to memory of 2184 2096 Idligq32.exe 31 PID 2096 wrote to memory of 2184 2096 Idligq32.exe 31 PID 2096 wrote to memory of 2184 2096 Idligq32.exe 31 PID 2184 wrote to memory of 2644 2184 Iiiapg32.exe 32 PID 2184 wrote to memory of 2644 2184 Iiiapg32.exe 32 PID 2184 wrote to memory of 2644 2184 Iiiapg32.exe 32 PID 2184 wrote to memory of 2644 2184 Iiiapg32.exe 32 PID 2644 wrote to memory of 2900 2644 Jibdff32.exe 33 PID 2644 wrote to memory of 2900 2644 Jibdff32.exe 33 PID 2644 wrote to memory of 2900 2644 Jibdff32.exe 33 PID 2644 wrote to memory of 2900 2644 Jibdff32.exe 33 PID 2900 wrote to memory of 2588 2900 Kabbehjb.exe 34 PID 2900 wrote to memory of 2588 2900 Kabbehjb.exe 34 PID 2900 wrote to memory of 2588 2900 Kabbehjb.exe 34 PID 2900 wrote to memory of 2588 2900 Kabbehjb.exe 34 PID 2588 wrote to memory of 2616 2588 Kjngjj32.exe 35 PID 2588 wrote to memory of 2616 2588 Kjngjj32.exe 35 PID 2588 wrote to memory of 2616 2588 Kjngjj32.exe 35 PID 2588 wrote to memory of 2616 2588 Kjngjj32.exe 35 PID 2616 wrote to memory of 2524 2616 Kgahcn32.exe 36 PID 2616 wrote to memory of 2524 2616 Kgahcn32.exe 36 PID 2616 wrote to memory of 2524 2616 Kgahcn32.exe 36 PID 2616 wrote to memory of 2524 2616 Kgahcn32.exe 36 PID 2524 wrote to memory of 2336 2524 Kchhholk.exe 37 PID 2524 wrote to memory of 2336 2524 Kchhholk.exe 37 PID 2524 wrote to memory of 2336 2524 Kchhholk.exe 37 PID 2524 wrote to memory of 2336 2524 Kchhholk.exe 37 PID 2336 wrote to memory of 2640 2336 Lhodgebh.exe 38 PID 2336 wrote to memory of 2640 2336 Lhodgebh.exe 38 PID 2336 wrote to memory of 2640 2336 Lhodgebh.exe 38 PID 2336 wrote to memory of 2640 2336 Lhodgebh.exe 38 PID 2640 wrote to memory of 2440 2640 Lqjhkg32.exe 39 PID 2640 wrote to memory of 2440 2640 Lqjhkg32.exe 39 PID 2640 wrote to memory of 2440 2640 Lqjhkg32.exe 39 PID 2640 wrote to memory of 2440 2640 Lqjhkg32.exe 39 PID 2440 wrote to memory of 2888 2440 Lbieejff.exe 40 PID 2440 wrote to memory of 2888 2440 Lbieejff.exe 40 PID 2440 wrote to memory of 2888 2440 Lbieejff.exe 40 PID 2440 wrote to memory of 2888 2440 Lbieejff.exe 40 PID 2888 wrote to memory of 2328 2888 Ljdjildq.exe 41 PID 2888 wrote to memory of 2328 2888 Ljdjildq.exe 41 PID 2888 wrote to memory of 2328 2888 Ljdjildq.exe 41 PID 2888 wrote to memory of 2328 2888 Ljdjildq.exe 41 PID 2328 wrote to memory of 1056 2328 Mloigc32.exe 42 PID 2328 wrote to memory of 1056 2328 Mloigc32.exe 42 PID 2328 wrote to memory of 1056 2328 Mloigc32.exe 42 PID 2328 wrote to memory of 1056 2328 Mloigc32.exe 42 PID 1056 wrote to memory of 2288 1056 Miciqgqn.exe 43 PID 1056 wrote to memory of 2288 1056 Miciqgqn.exe 43 PID 1056 wrote to memory of 2288 1056 Miciqgqn.exe 43 PID 1056 wrote to memory of 2288 1056 Miciqgqn.exe 43 PID 2288 wrote to memory of 2240 2288 Njiocobg.exe 44 PID 2288 wrote to memory of 2240 2288 Njiocobg.exe 44 PID 2288 wrote to memory of 2240 2288 Njiocobg.exe 44 PID 2288 wrote to memory of 2240 2288 Njiocobg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe"C:\Users\Admin\AppData\Local\Temp\c58b8c272a30b6739c8db6ecc8299d8271f2f49a9db82d543a168af6d9b36e06.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Ihehbpel.exeC:\Windows\system32\Ihehbpel.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Idligq32.exeC:\Windows\system32\Idligq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Iiiapg32.exeC:\Windows\system32\Iiiapg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Jibdff32.exeC:\Windows\system32\Jibdff32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kabbehjb.exeC:\Windows\system32\Kabbehjb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kjngjj32.exeC:\Windows\system32\Kjngjj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kgahcn32.exeC:\Windows\system32\Kgahcn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kchhholk.exeC:\Windows\system32\Kchhholk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Lhodgebh.exeC:\Windows\system32\Lhodgebh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Lqjhkg32.exeC:\Windows\system32\Lqjhkg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lbieejff.exeC:\Windows\system32\Lbieejff.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Ljdjildq.exeC:\Windows\system32\Ljdjildq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Mloigc32.exeC:\Windows\system32\Mloigc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Miciqgqn.exeC:\Windows\system32\Miciqgqn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Njiocobg.exeC:\Windows\system32\Njiocobg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Neocahbm.exeC:\Windows\system32\Neocahbm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Nmjhejph.exeC:\Windows\system32\Nmjhejph.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Olablfbm.exeC:\Windows\system32\Olablfbm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Pmnnomnn.exeC:\Windows\system32\Pmnnomnn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Phcbmend.exeC:\Windows\system32\Phcbmend.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Pgionbbl.exeC:\Windows\system32\Pgionbbl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Akfdcckn.exeC:\Windows\system32\Akfdcckn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Bqhffj32.exeC:\Windows\system32\Bqhffj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Bfeonq32.exeC:\Windows\system32\Bfeonq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Biegpl32.exeC:\Windows\system32\Biegpl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Bkfqbgni.exeC:\Windows\system32\Bkfqbgni.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bbpioa32.exeC:\Windows\system32\Bbpioa32.exe34⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bngicb32.exeC:\Windows\system32\Bngicb32.exe35⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Cjnjhcqo.exeC:\Windows\system32\Cjnjhcqo.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Cbpendha.exeC:\Windows\system32\Cbpendha.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Dajkjphd.exeC:\Windows\system32\Dajkjphd.exe38⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Dbihccpg.exeC:\Windows\system32\Dbihccpg.exe39⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dehdpnok.exeC:\Windows\system32\Dehdpnok.exe40⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Dkelhemb.exeC:\Windows\system32\Dkelhemb.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Ddmaak32.exeC:\Windows\system32\Ddmaak32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ekgineko.exeC:\Windows\system32\Ekgineko.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Eaaajo32.exeC:\Windows\system32\Eaaajo32.exe44⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Edpnfjap.exeC:\Windows\system32\Edpnfjap.exe45⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Eacnpoqi.exeC:\Windows\system32\Eacnpoqi.exe46⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Egpfheoa.exeC:\Windows\system32\Egpfheoa.exe47⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ephkak32.exeC:\Windows\system32\Ephkak32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Ecidbfbb.exeC:\Windows\system32\Ecidbfbb.exe49⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Eehpoaaf.exeC:\Windows\system32\Eehpoaaf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Epmdljal.exeC:\Windows\system32\Epmdljal.exe51⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Fejmda32.exeC:\Windows\system32\Fejmda32.exe52⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe53⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Fdojendk.exeC:\Windows\system32\Fdojendk.exe54⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Feofpqkn.exeC:\Windows\system32\Feofpqkn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Fklohgie.exeC:\Windows\system32\Fklohgie.exe56⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fddcqm32.exeC:\Windows\system32\Fddcqm32.exe57⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe60⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Gjeedcjh.exeC:\Windows\system32\Gjeedcjh.exe61⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Gqomqm32.exeC:\Windows\system32\Gqomqm32.exe62⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Gjhbic32.exeC:\Windows\system32\Gjhbic32.exe63⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Gbcgne32.exeC:\Windows\system32\Gbcgne32.exe64⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Gjjoob32.exeC:\Windows\system32\Gjjoob32.exe65⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe66⤵PID:960
-
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Goidmibg.exeC:\Windows\system32\Goidmibg.exe68⤵PID:2068
-
C:\Windows\SysWOW64\Gfclic32.exeC:\Windows\system32\Gfclic32.exe69⤵PID:2264
-
C:\Windows\SysWOW64\Hbjmodph.exeC:\Windows\system32\Hbjmodph.exe70⤵PID:1720
-
C:\Windows\SysWOW64\Hkbagjfi.exeC:\Windows\system32\Hkbagjfi.exe71⤵PID:236
-
C:\Windows\SysWOW64\Hkenmidf.exeC:\Windows\system32\Hkenmidf.exe72⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe73⤵PID:2464
-
C:\Windows\SysWOW64\Hfnomgqe.exeC:\Windows\system32\Hfnomgqe.exe74⤵PID:2556
-
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe75⤵PID:2996
-
C:\Windows\SysWOW64\Hcbogk32.exeC:\Windows\system32\Hcbogk32.exe76⤵PID:3036
-
C:\Windows\SysWOW64\Hjlhcegl.exeC:\Windows\system32\Hjlhcegl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Hafppp32.exeC:\Windows\system32\Hafppp32.exe78⤵PID:1780
-
C:\Windows\SysWOW64\Ifchhf32.exeC:\Windows\system32\Ifchhf32.exe79⤵PID:1788
-
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe80⤵PID:3056
-
C:\Windows\SysWOW64\Iehejc32.exeC:\Windows\system32\Iehejc32.exe81⤵PID:2244
-
C:\Windows\SysWOW64\Iikgkq32.exeC:\Windows\system32\Iikgkq32.exe82⤵PID:1736
-
C:\Windows\SysWOW64\Jjnqhh32.exeC:\Windows\system32\Jjnqhh32.exe83⤵PID:3068
-
C:\Windows\SysWOW64\Jpnffoci.exeC:\Windows\system32\Jpnffoci.exe84⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Jkcjchco.exeC:\Windows\system32\Jkcjchco.exe85⤵
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Jambpb32.exeC:\Windows\system32\Jambpb32.exe86⤵PID:2044
-
C:\Windows\SysWOW64\Jgjkhi32.exeC:\Windows\system32\Jgjkhi32.exe87⤵PID:2764
-
C:\Windows\SysWOW64\Jlgcqp32.exeC:\Windows\system32\Jlgcqp32.exe88⤵PID:2852
-
C:\Windows\SysWOW64\Jbqkmj32.exeC:\Windows\system32\Jbqkmj32.exe89⤵PID:1980
-
C:\Windows\SysWOW64\Kpdlfn32.exeC:\Windows\system32\Kpdlfn32.exe90⤵PID:2612
-
C:\Windows\SysWOW64\Kgodchen.exeC:\Windows\system32\Kgodchen.exe91⤵PID:1176
-
C:\Windows\SysWOW64\Khpqkq32.exeC:\Windows\system32\Khpqkq32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Kceehijb.exeC:\Windows\system32\Kceehijb.exe93⤵PID:2300
-
C:\Windows\SysWOW64\Klniao32.exeC:\Windows\system32\Klniao32.exe94⤵PID:2468
-
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe95⤵PID:3032
-
C:\Windows\SysWOW64\Kkcfbkfj.exeC:\Windows\system32\Kkcfbkfj.exe96⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Kehjpd32.exeC:\Windows\system32\Kehjpd32.exe97⤵PID:2276
-
C:\Windows\SysWOW64\Lncodf32.exeC:\Windows\system32\Lncodf32.exe98⤵PID:860
-
C:\Windows\SysWOW64\Lhicao32.exeC:\Windows\system32\Lhicao32.exe99⤵PID:1212
-
C:\Windows\SysWOW64\Ljjpighp.exeC:\Windows\system32\Ljjpighp.exe100⤵PID:1716
-
C:\Windows\SysWOW64\Lccdamop.exeC:\Windows\system32\Lccdamop.exe101⤵PID:1772
-
C:\Windows\SysWOW64\Lpgekanj.exeC:\Windows\system32\Lpgekanj.exe102⤵PID:2004
-
C:\Windows\SysWOW64\Lnkedemc.exeC:\Windows\system32\Lnkedemc.exe103⤵PID:1096
-
C:\Windows\SysWOW64\Lcgnmlkk.exeC:\Windows\system32\Lcgnmlkk.exe104⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Ljafifbh.exeC:\Windows\system32\Ljafifbh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Lonoamqo.exeC:\Windows\system32\Lonoamqo.exe106⤵PID:2036
-
C:\Windows\SysWOW64\Mhfckc32.exeC:\Windows\system32\Mhfckc32.exe107⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Mclghl32.exeC:\Windows\system32\Mclghl32.exe108⤵PID:2896
-
C:\Windows\SysWOW64\Mhippbem.exeC:\Windows\system32\Mhippbem.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Mkgllndq.exeC:\Windows\system32\Mkgllndq.exe110⤵PID:924
-
C:\Windows\SysWOW64\Mbadih32.exeC:\Windows\system32\Mbadih32.exe111⤵PID:536
-
C:\Windows\SysWOW64\Mgnmao32.exeC:\Windows\system32\Mgnmao32.exe112⤵PID:1624
-
C:\Windows\SysWOW64\Mklegm32.exeC:\Windows\system32\Mklegm32.exe113⤵PID:932
-
C:\Windows\SysWOW64\Mnjaci32.exeC:\Windows\system32\Mnjaci32.exe114⤵PID:2484
-
C:\Windows\SysWOW64\Mddjpbgl.exeC:\Windows\system32\Mddjpbgl.exe115⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Mknbmm32.exeC:\Windows\system32\Mknbmm32.exe116⤵PID:2580
-
C:\Windows\SysWOW64\Nfhcmkkg.exeC:\Windows\system32\Nfhcmkkg.exe117⤵PID:1860
-
C:\Windows\SysWOW64\Nppgfp32.exeC:\Windows\system32\Nppgfp32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ncnplogn.exeC:\Windows\system32\Ncnplogn.exe119⤵PID:2984
-
C:\Windows\SysWOW64\Ncqmbn32.exeC:\Windows\system32\Ncqmbn32.exe120⤵PID:2380
-
C:\Windows\SysWOW64\Nmiakdll.exeC:\Windows\system32\Nmiakdll.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-