Analysis
-
max time kernel
148s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe
-
Size
391KB
-
MD5
c7bb556fc763191888938c601f714058
-
SHA1
78289376d081df62289dfb38697ddaacecc08d14
-
SHA256
d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901
-
SHA512
d27ac10f1aee4755973040f473a0a9eee1cd81accd598f6a79a84b2a661d6db168aecee03dace352e4ce8fa062ffe7be2ce454b9c465c7944767fc231db03b86
-
SSDEEP
6144:3dDWYAJvR9LEq0FaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL:tKYWR9ymNtuhUNP3cOK3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggkklnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnoqbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Minnmomo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idaimfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjohbgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfqmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgnpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aikkgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmphfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimbbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajcaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciggap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eadejede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eadejede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcjpcmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjnikpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekqqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogiqffhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdhiaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klkjbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcgldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mheqie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlodma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjbpemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkqle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqkqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmamhek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilneef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Minnmomo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfkjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flgiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojjqbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbnlqld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiqffhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neddfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkkgnmqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheljhof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnoiqpqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goadik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilpohecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiioanpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkbbqjgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkoemji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcigjolm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dajiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbqkqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hohhfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbbhgh.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Abmkhmfe.exe 2380 Andlmnki.exe 2988 Afoqbpid.exe 2580 Adcakdhn.exe 2940 Apjbpemb.exe 2576 Bagncl32.exe 3052 Cpadpg32.exe 1672 Cpcaeghc.exe 1272 Dheljhof.exe 592 Emjnikpc.exe 2864 Efglmpbn.exe 960 Fpdjaeei.exe 1532 Fjnkac32.exe 2532 Fallil32.exe 2180 Gpfbfh32.exe 2472 Glmckikf.exe 2192 Hkkcbdhc.exe 1948 Hnllcoed.exe 1712 Idojon32.exe 2404 Ifngiqlg.exe 2036 Iqhhin32.exe 2300 Jdfqomom.exe 2320 Jmfoon32.exe 880 Jjjohbgl.exe 112 Knnagehi.exe 2660 Kkbbqjgb.exe 2804 Lneghd32.exe 2608 Lfpllg32.exe 2836 Lfbibfmi.exe 2748 Lifoia32.exe 2632 Laacmc32.exe 1656 Mafmhcam.exe 2956 Mahinb32.exe 2104 Mclbkjcf.exe 2560 Ndkoemji.exe 1860 Nglhghgj.exe 2948 Noiiaj32.exe 1964 Oggkklnk.exe 2392 Ojjqbg32.exe 2184 Odpeop32.exe 108 Oqfeda32.exe 3016 Oqibjq32.exe 1852 Pjafbfca.exe 276 Pkeppngm.exe 1568 Pemdic32.exe 1648 Pkglenej.exe 636 Pikmob32.exe 1300 Pjlifjjb.exe 2096 Pcdnpp32.exe 2368 Qahnid32.exe 2712 Qfegakmc.exe 2760 Qcigjolm.exe 2752 Aifpcfjd.exe 2552 Bdnmda32.exe 2244 Bimbbhgh.exe 1040 Clphjc32.exe 1864 Clbdobpc.exe 1980 Caomgjnk.exe 2996 Ckgapo32.exe 2412 Cgnbepjp.exe 3036 Cadfbi32.exe 3020 Dklkkoqf.exe 1560 Dddodd32.exe 2024 Dlpdifda.exe -
Loads dropped DLL 64 IoCs
pid Process 904 d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe 904 d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe 2356 Abmkhmfe.exe 2356 Abmkhmfe.exe 2380 Andlmnki.exe 2380 Andlmnki.exe 2988 Afoqbpid.exe 2988 Afoqbpid.exe 2580 Adcakdhn.exe 2580 Adcakdhn.exe 2940 Apjbpemb.exe 2940 Apjbpemb.exe 2576 Bagncl32.exe 2576 Bagncl32.exe 3052 Cpadpg32.exe 3052 Cpadpg32.exe 1672 Cpcaeghc.exe 1672 Cpcaeghc.exe 1272 Dheljhof.exe 1272 Dheljhof.exe 592 Emjnikpc.exe 592 Emjnikpc.exe 2864 Efglmpbn.exe 2864 Efglmpbn.exe 960 Fpdjaeei.exe 960 Fpdjaeei.exe 1532 Fjnkac32.exe 1532 Fjnkac32.exe 2532 Fallil32.exe 2532 Fallil32.exe 2180 Gpfbfh32.exe 2180 Gpfbfh32.exe 2472 Glmckikf.exe 2472 Glmckikf.exe 2192 Hkkcbdhc.exe 2192 Hkkcbdhc.exe 1948 Hnllcoed.exe 1948 Hnllcoed.exe 1712 Idojon32.exe 1712 Idojon32.exe 2404 Ifngiqlg.exe 2404 Ifngiqlg.exe 2036 Iqhhin32.exe 2036 Iqhhin32.exe 2300 Jdfqomom.exe 2300 Jdfqomom.exe 2320 Jmfoon32.exe 2320 Jmfoon32.exe 880 Jjjohbgl.exe 880 Jjjohbgl.exe 112 Knnagehi.exe 112 Knnagehi.exe 2660 Kkbbqjgb.exe 2660 Kkbbqjgb.exe 2804 Lneghd32.exe 2804 Lneghd32.exe 2608 Lfpllg32.exe 2608 Lfpllg32.exe 2836 Lfbibfmi.exe 2836 Lfbibfmi.exe 2748 Lifoia32.exe 2748 Lifoia32.exe 2632 Laacmc32.exe 2632 Laacmc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbgaahgl.exe Fiomhc32.exe File opened for modification C:\Windows\SysWOW64\Andnff32.exe Aaqnmbdd.exe File created C:\Windows\SysWOW64\Gggknmnm.dll Elmmhc32.exe File opened for modification C:\Windows\SysWOW64\Mbiokdam.exe Minnmomo.exe File opened for modification C:\Windows\SysWOW64\Oljbil32.exe Olhfdl32.exe File opened for modification C:\Windows\SysWOW64\Caligc32.exe Cdhino32.exe File opened for modification C:\Windows\SysWOW64\Gpdhiaoi.exe Gflcplhh.exe File created C:\Windows\SysWOW64\Idmqai32.dll Hpejcnlf.exe File created C:\Windows\SysWOW64\Oggkklnk.exe Noiiaj32.exe File created C:\Windows\SysWOW64\Kqgmnk32.exe Jnfdlpje.exe File opened for modification C:\Windows\SysWOW64\Glmckikf.exe Gpfbfh32.exe File created C:\Windows\SysWOW64\Pjgiad32.exe Pqlhbo32.exe File created C:\Windows\SysWOW64\Gailehfk.dll Hhklibbf.exe File created C:\Windows\SysWOW64\Dheljhof.exe Cpcaeghc.exe File created C:\Windows\SysWOW64\Panoee32.dll Gabohk32.exe File created C:\Windows\SysWOW64\Goompeid.dll Glmckikf.exe File created C:\Windows\SysWOW64\Jnpioe32.dll Fbhhlo32.exe File opened for modification C:\Windows\SysWOW64\Jdfqomom.exe Iqhhin32.exe File opened for modification C:\Windows\SysWOW64\Dklkkoqf.exe Cadfbi32.exe File opened for modification C:\Windows\SysWOW64\Hjglpncm.exe Hnpkkm32.exe File created C:\Windows\SysWOW64\Bppfcoaa.dll Hjglpncm.exe File created C:\Windows\SysWOW64\Oakdkn32.exe Neddfm32.exe File created C:\Windows\SysWOW64\Jjbifo32.dll Phdiglap.exe File opened for modification C:\Windows\SysWOW64\Afoqbpid.exe Andlmnki.exe File created C:\Windows\SysWOW64\Bepajh32.dll Ifngiqlg.exe File created C:\Windows\SysWOW64\Qfegakmc.exe Qahnid32.exe File opened for modification C:\Windows\SysWOW64\Noffadai.exe Nabegpbp.exe File created C:\Windows\SysWOW64\Lkbcoi32.dll Bajqcqli.exe File opened for modification C:\Windows\SysWOW64\Badlln32.exe Bfohoe32.exe File opened for modification C:\Windows\SysWOW64\Hleegpgb.exe Hcjpcmjg.exe File created C:\Windows\SysWOW64\Lfpllg32.exe Lneghd32.exe File opened for modification C:\Windows\SysWOW64\Pjafbfca.exe Oqibjq32.exe File opened for modification C:\Windows\SysWOW64\Qgcingnm.exe Qdbpml32.exe File created C:\Windows\SysWOW64\Lbiapmah.dll Mheqie32.exe File created C:\Windows\SysWOW64\Qdbpml32.exe Pgnpcg32.exe File created C:\Windows\SysWOW64\Cchfha32.dll Mclbkjcf.exe File created C:\Windows\SysWOW64\Fplcpm32.dll Ifkecl32.exe File created C:\Windows\SysWOW64\Paejod32.dll Cadfbi32.exe File created C:\Windows\SysWOW64\Idaimfjf.exe Ielllj32.exe File created C:\Windows\SysWOW64\Fehjcc32.exe Fbgaahgl.exe File opened for modification C:\Windows\SysWOW64\Dadikaaj.exe Cenhfqle.exe File opened for modification C:\Windows\SysWOW64\Fbhhlo32.exe Fjmdgmnl.exe File created C:\Windows\SysWOW64\Cammfg32.dll Cpccnp32.exe File created C:\Windows\SysWOW64\Adcakdhn.exe Afoqbpid.exe File created C:\Windows\SysWOW64\Nnaeccqh.dll Cpadpg32.exe File opened for modification C:\Windows\SysWOW64\Injnfl32.exe Idaimfjf.exe File opened for modification C:\Windows\SysWOW64\Nglhghgj.exe Ndkoemji.exe File created C:\Windows\SysWOW64\Cokqfhpa.exe Bjnhpj32.exe File created C:\Windows\SysWOW64\Mbiokdam.exe Minnmomo.exe File created C:\Windows\SysWOW64\Ocibno32.dll Jknnoppp.exe File created C:\Windows\SysWOW64\Ifjeefld.dll Bnmmjd32.exe File created C:\Windows\SysWOW64\Ahmbdm32.dll Enmbeehg.exe File created C:\Windows\SysWOW64\Dkkpeg32.dll Jdfqomom.exe File opened for modification C:\Windows\SysWOW64\Fmnmih32.exe Fbhhlo32.exe File opened for modification C:\Windows\SysWOW64\Olhfdl32.exe Ocpakg32.exe File created C:\Windows\SysWOW64\Bcmhlbgm.dll Eckopm32.exe File created C:\Windows\SysWOW64\Goohckob.exe Folknlae.exe File created C:\Windows\SysWOW64\Abmkhmfe.exe d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe File created C:\Windows\SysWOW64\Hmkjkp32.dll Nibcgb32.exe File opened for modification C:\Windows\SysWOW64\Bdnmda32.exe Aifpcfjd.exe File opened for modification C:\Windows\SysWOW64\Ipefba32.exe Imgjfe32.exe File created C:\Windows\SysWOW64\Ahamfm32.dll Cipaqqli.exe File created C:\Windows\SysWOW64\Pdpfpofk.dll Eemded32.exe File opened for modification C:\Windows\SysWOW64\Ehnknfdn.exe Eoefea32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2300 3372 WerFault.exe 320 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhhjhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeikpij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noffadai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idaimfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlodma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcjfdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbaelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfegakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neagan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapcaocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjohbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimpcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injnfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknnoppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciggap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmgapgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjodiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcfdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folknlae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoefea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilneef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqgmnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkladpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpbiaqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjglpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andlmnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifoia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnknfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbknd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipaqqli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcaeghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkeppngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edahca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpadpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmckikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogckqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijddokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdjaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhojjjhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflcplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neddfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifngiqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpllg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgqoech.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjnje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idqpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpafanf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genmab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikmob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqqea32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbqnobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdjhmph.dll" Gfdcdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imgjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkbbqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpcmojia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eckopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khdhmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqqgkm32.dll" Afoqbpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbalb32.dll" Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dheljhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnoqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpioe32.dll" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmnibf.dll" Eoefea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpckee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Janijh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flgiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlfolad.dll" Gpdhiaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeefld.dll" Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffjbfpf.dll" Didgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Didgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caglpoco.dll" Oamaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifngiqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdnmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eclejclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fehjcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpkhjlc.dll" Ippkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpcmojia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkjkp32.dll" Nibcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mncijanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhlmnmjc.dll" Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmmffbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnlkl32.dll" Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipefba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepajh32.dll" Ifngiqlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnpkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfohoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkeppngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loapkfmc.dll" Minnmomo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmqai32.dll" Hpejcnlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfbibfmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaqnmbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoopnc.dll" Hfbfpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfepkhg.dll" Khdhmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hleegpgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jchjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khmamhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmdeaaf.dll" Pjgiad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neilfn32.dll" Jbhlilip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ighfecdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khmamhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ambnlmja.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 904 wrote to memory of 2356 904 d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe 29 PID 904 wrote to memory of 2356 904 d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe 29 PID 904 wrote to memory of 2356 904 d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe 29 PID 904 wrote to memory of 2356 904 d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe 29 PID 2356 wrote to memory of 2380 2356 Abmkhmfe.exe 30 PID 2356 wrote to memory of 2380 2356 Abmkhmfe.exe 30 PID 2356 wrote to memory of 2380 2356 Abmkhmfe.exe 30 PID 2356 wrote to memory of 2380 2356 Abmkhmfe.exe 30 PID 2380 wrote to memory of 2988 2380 Andlmnki.exe 31 PID 2380 wrote to memory of 2988 2380 Andlmnki.exe 31 PID 2380 wrote to memory of 2988 2380 Andlmnki.exe 31 PID 2380 wrote to memory of 2988 2380 Andlmnki.exe 31 PID 2988 wrote to memory of 2580 2988 Afoqbpid.exe 32 PID 2988 wrote to memory of 2580 2988 Afoqbpid.exe 32 PID 2988 wrote to memory of 2580 2988 Afoqbpid.exe 32 PID 2988 wrote to memory of 2580 2988 Afoqbpid.exe 32 PID 2580 wrote to memory of 2940 2580 Adcakdhn.exe 33 PID 2580 wrote to memory of 2940 2580 Adcakdhn.exe 33 PID 2580 wrote to memory of 2940 2580 Adcakdhn.exe 33 PID 2580 wrote to memory of 2940 2580 Adcakdhn.exe 33 PID 2940 wrote to memory of 2576 2940 Apjbpemb.exe 34 PID 2940 wrote to memory of 2576 2940 Apjbpemb.exe 34 PID 2940 wrote to memory of 2576 2940 Apjbpemb.exe 34 PID 2940 wrote to memory of 2576 2940 Apjbpemb.exe 34 PID 2576 wrote to memory of 3052 2576 Bagncl32.exe 35 PID 2576 wrote to memory of 3052 2576 Bagncl32.exe 35 PID 2576 wrote to memory of 3052 2576 Bagncl32.exe 35 PID 2576 wrote to memory of 3052 2576 Bagncl32.exe 35 PID 3052 wrote to memory of 1672 3052 Cpadpg32.exe 36 PID 3052 wrote to memory of 1672 3052 Cpadpg32.exe 36 PID 3052 wrote to memory of 1672 3052 Cpadpg32.exe 36 PID 3052 wrote to memory of 1672 3052 Cpadpg32.exe 36 PID 1672 wrote to memory of 1272 1672 Cpcaeghc.exe 37 PID 1672 wrote to memory of 1272 1672 Cpcaeghc.exe 37 PID 1672 wrote to memory of 1272 1672 Cpcaeghc.exe 37 PID 1672 wrote to memory of 1272 1672 Cpcaeghc.exe 37 PID 1272 wrote to memory of 592 1272 Dheljhof.exe 38 PID 1272 wrote to memory of 592 1272 Dheljhof.exe 38 PID 1272 wrote to memory of 592 1272 Dheljhof.exe 38 PID 1272 wrote to memory of 592 1272 Dheljhof.exe 38 PID 592 wrote to memory of 2864 592 Emjnikpc.exe 39 PID 592 wrote to memory of 2864 592 Emjnikpc.exe 39 PID 592 wrote to memory of 2864 592 Emjnikpc.exe 39 PID 592 wrote to memory of 2864 592 Emjnikpc.exe 39 PID 2864 wrote to memory of 960 2864 Efglmpbn.exe 40 PID 2864 wrote to memory of 960 2864 Efglmpbn.exe 40 PID 2864 wrote to memory of 960 2864 Efglmpbn.exe 40 PID 2864 wrote to memory of 960 2864 Efglmpbn.exe 40 PID 960 wrote to memory of 1532 960 Fpdjaeei.exe 41 PID 960 wrote to memory of 1532 960 Fpdjaeei.exe 41 PID 960 wrote to memory of 1532 960 Fpdjaeei.exe 41 PID 960 wrote to memory of 1532 960 Fpdjaeei.exe 41 PID 1532 wrote to memory of 2532 1532 Fjnkac32.exe 42 PID 1532 wrote to memory of 2532 1532 Fjnkac32.exe 42 PID 1532 wrote to memory of 2532 1532 Fjnkac32.exe 42 PID 1532 wrote to memory of 2532 1532 Fjnkac32.exe 42 PID 2532 wrote to memory of 2180 2532 Fallil32.exe 43 PID 2532 wrote to memory of 2180 2532 Fallil32.exe 43 PID 2532 wrote to memory of 2180 2532 Fallil32.exe 43 PID 2532 wrote to memory of 2180 2532 Fallil32.exe 43 PID 2180 wrote to memory of 2472 2180 Gpfbfh32.exe 44 PID 2180 wrote to memory of 2472 2180 Gpfbfh32.exe 44 PID 2180 wrote to memory of 2472 2180 Gpfbfh32.exe 44 PID 2180 wrote to memory of 2472 2180 Gpfbfh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe"C:\Users\Admin\AppData\Local\Temp\d77d0f421523832002d3be4ce4f926e912bd7dcc1d5f2dd9c2fdf929e9146901.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Fallil32.exeC:\Windows\system32\Fallil32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe33⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe34⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe37⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe42⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe44⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe47⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe50⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe57⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe58⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe59⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe60⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe61⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Cadfbi32.exeC:\Windows\system32\Cadfbi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Dklkkoqf.exeC:\Windows\system32\Dklkkoqf.exe63⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe64⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe65⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Dnoqbi32.exeC:\Windows\system32\Dnoqbi32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe67⤵PID:2052
-
C:\Windows\SysWOW64\Docjpa32.exeC:\Windows\system32\Docjpa32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Eoefea32.exeC:\Windows\system32\Eoefea32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Ehnknfdn.exeC:\Windows\system32\Ehnknfdn.exe70⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe72⤵PID:3040
-
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe74⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Eqpfchka.exeC:\Windows\system32\Eqpfchka.exe75⤵PID:2196
-
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe76⤵PID:2040
-
C:\Windows\SysWOW64\Fimgmj32.exeC:\Windows\system32\Fimgmj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Fpgpjdnf.exeC:\Windows\system32\Fpgpjdnf.exe78⤵PID:1556
-
C:\Windows\SysWOW64\Fjmdgmnl.exeC:\Windows\system32\Fjmdgmnl.exe79⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Fbhhlo32.exeC:\Windows\system32\Fbhhlo32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Fmnmih32.exeC:\Windows\system32\Fmnmih32.exe81⤵PID:2224
-
C:\Windows\SysWOW64\Fnoiqpqk.exeC:\Windows\system32\Fnoiqpqk.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe83⤵PID:2408
-
C:\Windows\SysWOW64\Gekncjfe.exeC:\Windows\system32\Gekncjfe.exe84⤵PID:2088
-
C:\Windows\SysWOW64\Gabohk32.exeC:\Windows\system32\Gabohk32.exe85⤵
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe86⤵PID:1988
-
C:\Windows\SysWOW64\Gnhlgoia.exeC:\Windows\system32\Gnhlgoia.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Ghqqpd32.exeC:\Windows\system32\Ghqqpd32.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Gaiehjfb.exeC:\Windows\system32\Gaiehjfb.exe89⤵PID:3048
-
C:\Windows\SysWOW64\Hjaiaolb.exeC:\Windows\system32\Hjaiaolb.exe90⤵PID:1732
-
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Hfhjfp32.exeC:\Windows\system32\Hfhjfp32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe94⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Hhnpih32.exeC:\Windows\system32\Hhnpih32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Hohhfbkl.exeC:\Windows\system32\Hohhfbkl.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe97⤵PID:1104
-
C:\Windows\SysWOW64\Hbfalpab.exeC:\Windows\system32\Hbfalpab.exe98⤵PID:2124
-
C:\Windows\SysWOW64\Ilneef32.exeC:\Windows\system32\Ilneef32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Iegjnkod.exeC:\Windows\system32\Iegjnkod.exe100⤵PID:1744
-
C:\Windows\SysWOW64\Ighfecdb.exeC:\Windows\system32\Ighfecdb.exe101⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe103⤵PID:1920
-
C:\Windows\SysWOW64\Igmppcpm.exeC:\Windows\system32\Igmppcpm.exe104⤵PID:2904
-
C:\Windows\SysWOW64\Idqpjg32.exeC:\Windows\system32\Idqpjg32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Ijmibn32.exeC:\Windows\system32\Ijmibn32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Jojaje32.exeC:\Windows\system32\Jojaje32.exe107⤵PID:2400
-
C:\Windows\SysWOW64\Jchjqc32.exeC:\Windows\system32\Jchjqc32.exe108⤵
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Jbmgapgc.exeC:\Windows\system32\Jbmgapgc.exe109⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Jndgfqlh.exeC:\Windows\system32\Jndgfqlh.exe110⤵PID:1908
-
C:\Windows\SysWOW64\Jnfdlpje.exeC:\Windows\system32\Jnfdlpje.exe111⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Kqgmnk32.exeC:\Windows\system32\Kqgmnk32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Kjpafanf.exeC:\Windows\system32\Kjpafanf.exe113⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Kjbnlqld.exeC:\Windows\system32\Kjbnlqld.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Lcjodiep.exeC:\Windows\system32\Lcjodiep.exe115⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Lhhhjhkf.exeC:\Windows\system32\Lhhhjhkf.exe116⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Mpcmojia.exeC:\Windows\system32\Mpcmojia.exe117⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Mabihm32.exeC:\Windows\system32\Mabihm32.exe118⤵PID:3060
-
C:\Windows\SysWOW64\Minnmomo.exeC:\Windows\system32\Minnmomo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Mbiokdam.exeC:\Windows\system32\Mbiokdam.exe120⤵PID:2144
-
C:\Windows\SysWOW64\Mbkladpj.exeC:\Windows\system32\Mbkladpj.exe121⤵
- System Location Discovery: System Language Discovery
PID:696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-