Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe
-
Size
128KB
-
MD5
f20b450d1755dfaece439bb2c69e9179
-
SHA1
18ac448339290d52bd5a322bd0b59ebfabcb00e7
-
SHA256
dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3
-
SHA512
0a3a6bf606b20ba14f318167ba60aaeaf59381e9d9e79b16d15669338cd020da90c70609aad376dd049d120442b276c11b5bff6bac270f0d7ec818f3dc21e3b4
-
SSDEEP
3072:+bbQ3OeClMySsUc+jh7eAD7DxSvITW/cbFGS9n:OHSM+jkA/hCw9n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihgmdih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndafcmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqlfhjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppipdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glnkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clhecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mneaacno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjijkmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imjmhkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqhfnifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpehd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgoadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqnhmgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffmpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfoihhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnfpjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjiln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egebjmdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjafkpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgodcich.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphaglgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiokholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahfgbkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpceebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aocbokia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goapjnoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfkgdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Monhjgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmklak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjpceebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aldfcpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eebibf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgcdi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2692 Ijidfpci.exe 2668 Igmepdbc.exe 2808 Imjmhkpj.exe 1844 Igpaec32.exe 1856 Iqhfnifq.exe 556 Ifengpdh.exe 448 Imogcj32.exe 2956 Iblola32.exe 2504 Iejkhlip.exe 2880 Jbnlaqhi.exe 2928 Jelhmlgm.exe 2148 Jkfpjf32.exe 2332 Jbphgpfg.exe 1836 Jkimpfmg.exe 2316 Jbcelp32.exe 2980 Jgpndg32.exe 1940 Jnifaajh.exe 1020 Jcfoihhp.exe 2176 Jfekec32.exe 2440 Jnlbgq32.exe 2412 Jajocl32.exe 1812 Kfggkc32.exe 1308 Kmaphmln.exe 2304 Kbnhpdke.exe 2512 Kfidqb32.exe 2756 Kbpefc32.exe 2804 Keoabo32.exe 2576 Kngekdnf.exe 2544 Kfnnlboi.exe 2580 Koibpd32.exe 2004 Kaholp32.exe 1912 Kjpceebh.exe 1952 Lbgkfbbj.exe 1808 Lkbpke32.exe 2824 Lmalgq32.exe 2904 Lhfpdi32.exe 1516 Lophacfl.exe 1152 Lpaehl32.exe 580 Lhimji32.exe 1692 Lglmefcg.exe 2116 Lmeebpkd.exe 1340 Lilfgq32.exe 308 Lmhbgpia.exe 1076 Lpfnckhe.exe 1864 Miocmq32.exe 1740 Mcggef32.exe 976 Mgbcfdmo.exe 1428 Mlolnllf.exe 2240 Monhjgkj.exe 2700 Mcidkf32.exe 2812 Maldfbjn.exe 2552 Mlahdkjc.exe 1688 Mopdpg32.exe 1748 Mclqqeaq.exe 316 Mejmmqpd.exe 2836 Mhhiiloh.exe 2208 Mldeik32.exe 2872 Mneaacno.exe 2344 Meljbqna.exe 1800 Mdojnm32.exe 3000 Moenkf32.exe 1644 Mnhnfckm.exe 1472 Ndafcmci.exe 1368 Nklopg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2640 dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe 2640 dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe 2692 Ijidfpci.exe 2692 Ijidfpci.exe 2668 Igmepdbc.exe 2668 Igmepdbc.exe 2808 Imjmhkpj.exe 2808 Imjmhkpj.exe 1844 Igpaec32.exe 1844 Igpaec32.exe 1856 Iqhfnifq.exe 1856 Iqhfnifq.exe 556 Ifengpdh.exe 556 Ifengpdh.exe 448 Imogcj32.exe 448 Imogcj32.exe 2956 Iblola32.exe 2956 Iblola32.exe 2504 Iejkhlip.exe 2504 Iejkhlip.exe 2880 Jbnlaqhi.exe 2880 Jbnlaqhi.exe 2928 Jelhmlgm.exe 2928 Jelhmlgm.exe 2148 Jkfpjf32.exe 2148 Jkfpjf32.exe 2332 Jbphgpfg.exe 2332 Jbphgpfg.exe 1836 Jkimpfmg.exe 1836 Jkimpfmg.exe 2316 Jbcelp32.exe 2316 Jbcelp32.exe 2980 Jgpndg32.exe 2980 Jgpndg32.exe 1940 Jnifaajh.exe 1940 Jnifaajh.exe 1020 Jcfoihhp.exe 1020 Jcfoihhp.exe 2176 Jfekec32.exe 2176 Jfekec32.exe 2440 Jnlbgq32.exe 2440 Jnlbgq32.exe 2412 Jajocl32.exe 2412 Jajocl32.exe 1812 Kfggkc32.exe 1812 Kfggkc32.exe 1308 Kmaphmln.exe 1308 Kmaphmln.exe 2304 Kbnhpdke.exe 2304 Kbnhpdke.exe 2512 Kfidqb32.exe 2512 Kfidqb32.exe 2756 Kbpefc32.exe 2756 Kbpefc32.exe 2804 Keoabo32.exe 2804 Keoabo32.exe 2576 Kngekdnf.exe 2576 Kngekdnf.exe 2544 Kfnnlboi.exe 2544 Kfnnlboi.exe 2580 Koibpd32.exe 2580 Koibpd32.exe 2004 Kaholp32.exe 2004 Kaholp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kfnhec32.dll Hekefkig.exe File created C:\Windows\SysWOW64\Hepmik32.dll Igpaec32.exe File created C:\Windows\SysWOW64\Meljbqna.exe Mneaacno.exe File created C:\Windows\SysWOW64\Lcfejhma.dll Koibpd32.exe File created C:\Windows\SysWOW64\Imbige32.dll Ejcofica.exe File created C:\Windows\SysWOW64\Jcfgoadd.exe Jojloc32.exe File created C:\Windows\SysWOW64\Kgjjndeq.exe Kigibh32.exe File created C:\Windows\SysWOW64\Mmbnam32.exe Mkdbea32.exe File opened for modification C:\Windows\SysWOW64\Qpaohjkk.exe Qmcclolh.exe File created C:\Windows\SysWOW64\Oeficpoq.dll Aebakp32.exe File created C:\Windows\SysWOW64\Lbpihjem.dll Obcffefa.exe File created C:\Windows\SysWOW64\Aqcfncko.dll Inplqlng.exe File created C:\Windows\SysWOW64\Fpgnoo32.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Igpaec32.exe Imjmhkpj.exe File created C:\Windows\SysWOW64\Cglcek32.exe Cdngip32.exe File created C:\Windows\SysWOW64\Gfabkl32.exe Gdcfoq32.exe File opened for modification C:\Windows\SysWOW64\Gmkjgfmf.exe Gedbfimc.exe File created C:\Windows\SysWOW64\Odnobj32.exe Opccallb.exe File created C:\Windows\SysWOW64\Ofdeeb32.exe Ocfiif32.exe File opened for modification C:\Windows\SysWOW64\Qpniokan.exe Phgannal.exe File opened for modification C:\Windows\SysWOW64\Dochelmj.exe Dglpdomh.exe File created C:\Windows\SysWOW64\Emgdmc32.exe Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Ojbnkp32.exe Ogdaod32.exe File created C:\Windows\SysWOW64\Pijgbl32.exe Pfkkeq32.exe File created C:\Windows\SysWOW64\Cfleblle.dll Lpaehl32.exe File created C:\Windows\SysWOW64\Flmogqde.dll Phgannal.exe File created C:\Windows\SysWOW64\Mgnedp32.dll Epqgopbi.exe File opened for modification C:\Windows\SysWOW64\Apkbnibq.exe Ahcjmkbo.exe File created C:\Windows\SysWOW64\Ojeakfnd.exe Okbapi32.exe File created C:\Windows\SysWOW64\Addhcn32.exe Aaflgb32.exe File created C:\Windows\SysWOW64\Bpfebmia.exe Bacefpbg.exe File opened for modification C:\Windows\SysWOW64\Lkmldbcj.exe Lljkif32.exe File created C:\Windows\SysWOW64\Eonkgg32.dll Baqhapdj.exe File opened for modification C:\Windows\SysWOW64\Lophacfl.exe Lhfpdi32.exe File created C:\Windows\SysWOW64\Ippdloip.dll Dgqion32.exe File created C:\Windows\SysWOW64\Qdpohodn.exe Qaablcej.exe File created C:\Windows\SysWOW64\Aocbokia.exe Appbcn32.exe File created C:\Windows\SysWOW64\Gmaonc32.dll Dkeoongd.exe File created C:\Windows\SysWOW64\Ejnbekph.dll Dnckki32.exe File opened for modification C:\Windows\SysWOW64\Kapaaj32.exe Kbmafngi.exe File opened for modification C:\Windows\SysWOW64\Keoabo32.exe Kbpefc32.exe File opened for modification C:\Windows\SysWOW64\Anecfgdc.exe Qlggjlep.exe File opened for modification C:\Windows\SysWOW64\Pnfpjc32.exe Podpoffm.exe File created C:\Windows\SysWOW64\Mofapq32.dll Epeajo32.exe File created C:\Windows\SysWOW64\Ecipfpcm.dll Fappgflg.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fjhdpk32.exe File opened for modification C:\Windows\SysWOW64\Hipkfkgh.exe Hdbbnd32.exe File opened for modification C:\Windows\SysWOW64\Nanfqo32.exe Nnbjpqoa.exe File opened for modification C:\Windows\SysWOW64\Abkkpd32.exe Ajdcofop.exe File created C:\Windows\SysWOW64\Nbqjqehd.exe Ncnjeh32.exe File created C:\Windows\SysWOW64\Mlanmb32.dll Ccgnelll.exe File created C:\Windows\SysWOW64\Mpgoaiep.dll Cdamao32.exe File created C:\Windows\SysWOW64\Lmphha32.dll Gllnnc32.exe File opened for modification C:\Windows\SysWOW64\Pbpoebgc.exe Poacighp.exe File created C:\Windows\SysWOW64\Kaokbi32.dll Glpgibbn.exe File created C:\Windows\SysWOW64\Nijjfj32.dll Jmdiahco.exe File created C:\Windows\SysWOW64\Fbnqjk32.dll Kjhfjpdd.exe File created C:\Windows\SysWOW64\Cdamao32.exe Ccpqjfnh.exe File created C:\Windows\SysWOW64\Egcfdn32.exe Eddjhb32.exe File opened for modification C:\Windows\SysWOW64\Gfcopl32.exe Gbhcpmkm.exe File opened for modification C:\Windows\SysWOW64\Ghidcceo.exe Gekhgh32.exe File created C:\Windows\SysWOW64\Ekpbgbme.dll Kpoejbhe.exe File created C:\Windows\SysWOW64\Kakabjnn.dll Mcacochk.exe File created C:\Windows\SysWOW64\Qfikod32.exe Qgfkchmp.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiemmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnhgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfabdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadobccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbojjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfgbkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhnfckm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojndpqpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilifndlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhnfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfgkha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpgibbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghidcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljbqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdodmlcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhalngad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaplfinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndbko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmkjgfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqllghon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohmonb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfacdqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhlbbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll" Njchfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkciic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll" Capdpcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncaean32.dll" Fpemhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinefnpo.dll" Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpoejbhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjkbh32.dll" Jcfoihhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcmnaip.dll" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gekhgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfhiepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkakd32.dll" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilmaf32.dll" Blniinac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moenkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moafnqhk.dll" Hipkfkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnkffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kndbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjckelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knohpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpjjl32.dll" Fhbbcail.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbjifgcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bggjjlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccpqjfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Bfjkphjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbaaioa.dll" Pbpoebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loimal32.dll" Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdeffdbl.dll" Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflhek32.dll" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjhhiqm.dll" Lmbabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qghgigkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgepogei.dll" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nndgeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahibcg.dll" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nikkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjagic.dll" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbmccel.dll" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpcdopi.dll" Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neajod32.dll" Lpfnckhe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2692 2640 dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe 30 PID 2640 wrote to memory of 2692 2640 dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe 30 PID 2640 wrote to memory of 2692 2640 dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe 30 PID 2640 wrote to memory of 2692 2640 dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe 30 PID 2692 wrote to memory of 2668 2692 Ijidfpci.exe 31 PID 2692 wrote to memory of 2668 2692 Ijidfpci.exe 31 PID 2692 wrote to memory of 2668 2692 Ijidfpci.exe 31 PID 2692 wrote to memory of 2668 2692 Ijidfpci.exe 31 PID 2668 wrote to memory of 2808 2668 Igmepdbc.exe 32 PID 2668 wrote to memory of 2808 2668 Igmepdbc.exe 32 PID 2668 wrote to memory of 2808 2668 Igmepdbc.exe 32 PID 2668 wrote to memory of 2808 2668 Igmepdbc.exe 32 PID 2808 wrote to memory of 1844 2808 Imjmhkpj.exe 33 PID 2808 wrote to memory of 1844 2808 Imjmhkpj.exe 33 PID 2808 wrote to memory of 1844 2808 Imjmhkpj.exe 33 PID 2808 wrote to memory of 1844 2808 Imjmhkpj.exe 33 PID 1844 wrote to memory of 1856 1844 Igpaec32.exe 34 PID 1844 wrote to memory of 1856 1844 Igpaec32.exe 34 PID 1844 wrote to memory of 1856 1844 Igpaec32.exe 34 PID 1844 wrote to memory of 1856 1844 Igpaec32.exe 34 PID 1856 wrote to memory of 556 1856 Iqhfnifq.exe 35 PID 1856 wrote to memory of 556 1856 Iqhfnifq.exe 35 PID 1856 wrote to memory of 556 1856 Iqhfnifq.exe 35 PID 1856 wrote to memory of 556 1856 Iqhfnifq.exe 35 PID 556 wrote to memory of 448 556 Ifengpdh.exe 36 PID 556 wrote to memory of 448 556 Ifengpdh.exe 36 PID 556 wrote to memory of 448 556 Ifengpdh.exe 36 PID 556 wrote to memory of 448 556 Ifengpdh.exe 36 PID 448 wrote to memory of 2956 448 Imogcj32.exe 37 PID 448 wrote to memory of 2956 448 Imogcj32.exe 37 PID 448 wrote to memory of 2956 448 Imogcj32.exe 37 PID 448 wrote to memory of 2956 448 Imogcj32.exe 37 PID 2956 wrote to memory of 2504 2956 Iblola32.exe 38 PID 2956 wrote to memory of 2504 2956 Iblola32.exe 38 PID 2956 wrote to memory of 2504 2956 Iblola32.exe 38 PID 2956 wrote to memory of 2504 2956 Iblola32.exe 38 PID 2504 wrote to memory of 2880 2504 Iejkhlip.exe 39 PID 2504 wrote to memory of 2880 2504 Iejkhlip.exe 39 PID 2504 wrote to memory of 2880 2504 Iejkhlip.exe 39 PID 2504 wrote to memory of 2880 2504 Iejkhlip.exe 39 PID 2880 wrote to memory of 2928 2880 Jbnlaqhi.exe 40 PID 2880 wrote to memory of 2928 2880 Jbnlaqhi.exe 40 PID 2880 wrote to memory of 2928 2880 Jbnlaqhi.exe 40 PID 2880 wrote to memory of 2928 2880 Jbnlaqhi.exe 40 PID 2928 wrote to memory of 2148 2928 Jelhmlgm.exe 41 PID 2928 wrote to memory of 2148 2928 Jelhmlgm.exe 41 PID 2928 wrote to memory of 2148 2928 Jelhmlgm.exe 41 PID 2928 wrote to memory of 2148 2928 Jelhmlgm.exe 41 PID 2148 wrote to memory of 2332 2148 Jkfpjf32.exe 42 PID 2148 wrote to memory of 2332 2148 Jkfpjf32.exe 42 PID 2148 wrote to memory of 2332 2148 Jkfpjf32.exe 42 PID 2148 wrote to memory of 2332 2148 Jkfpjf32.exe 42 PID 2332 wrote to memory of 1836 2332 Jbphgpfg.exe 43 PID 2332 wrote to memory of 1836 2332 Jbphgpfg.exe 43 PID 2332 wrote to memory of 1836 2332 Jbphgpfg.exe 43 PID 2332 wrote to memory of 1836 2332 Jbphgpfg.exe 43 PID 1836 wrote to memory of 2316 1836 Jkimpfmg.exe 44 PID 1836 wrote to memory of 2316 1836 Jkimpfmg.exe 44 PID 1836 wrote to memory of 2316 1836 Jkimpfmg.exe 44 PID 1836 wrote to memory of 2316 1836 Jkimpfmg.exe 44 PID 2316 wrote to memory of 2980 2316 Jbcelp32.exe 45 PID 2316 wrote to memory of 2980 2316 Jbcelp32.exe 45 PID 2316 wrote to memory of 2980 2316 Jbcelp32.exe 45 PID 2316 wrote to memory of 2980 2316 Jbcelp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe"C:\Users\Admin\AppData\Local\Temp\dd9e355d2ef76ec31d6d62b0a1c838fce70206528e7fcfcf7d45d95d85abd8d3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe34⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe35⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe36⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe38⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe40⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe41⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe42⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe43⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe44⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe47⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe48⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe49⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe53⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe54⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe56⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe57⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe58⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe61⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Mnhnfckm.exeC:\Windows\system32\Mnhnfckm.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe65⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe67⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe69⤵PID:2748
-
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe70⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe71⤵PID:2596
-
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe72⤵PID:3028
-
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe73⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe74⤵PID:2968
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe76⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe77⤵PID:2832
-
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe78⤵PID:2340
-
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe79⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe80⤵PID:2436
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe82⤵PID:2424
-
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe83⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe84⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe85⤵PID:2792
-
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe86⤵PID:2548
-
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe88⤵PID:2360
-
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe90⤵PID:2380
-
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe91⤵PID:1804
-
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe92⤵PID:2160
-
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe94⤵PID:1496
-
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe95⤵PID:2260
-
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe96⤵PID:684
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe97⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe98⤵PID:2772
-
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe99⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe100⤵PID:3024
-
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe101⤵PID:2180
-
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe102⤵PID:2828
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe103⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe104⤵PID:1468
-
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe105⤵PID:2204
-
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe106⤵PID:980
-
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe107⤵PID:1092
-
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe108⤵PID:2480
-
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe109⤵PID:1712
-
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe110⤵PID:2688
-
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe112⤵PID:1984
-
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe113⤵PID:2172
-
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe114⤵PID:2228
-
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe115⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe116⤵PID:604
-
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe117⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe118⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe119⤵PID:760
-
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe120⤵PID:2716
-
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe121⤵PID:792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-