Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 17:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe
-
Size
320KB
-
MD5
e8cd921efb7a8bb123f44d6118b546b0
-
SHA1
e689a75f291ffb8f79e35d839695a2b26a586c99
-
SHA256
b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1
-
SHA512
372eaa31117f99b0eac43501b2c0f9a81a012b1641b74cee6a887b88dc0565530aa304d2b07bbe35a77d3602df45749e00276fd2cd6cfedeb173c0069b27c765
-
SSDEEP
6144:G7bYewiw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojwx:G7bfElr54ujjgj8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeccjcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclfag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibgpnjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgibnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkhmdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajmjcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjacjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoobhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlfjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkpeake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkakicam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boogmgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmcjedcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgknkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmijfmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciaefa32.exe -
Executes dropped EXE 64 IoCs
pid Process 2156 Fbmfkkbm.exe 2940 Ffibkj32.exe 2756 Fnfcel32.exe 2616 Fdpkbf32.exe 2840 Fkjdopeh.exe 2608 Gcheib32.exe 3024 Gkomjo32.exe 1712 Gpabcbdb.exe 1184 Gfkkpmko.exe 2428 Giiglhjb.exe 1488 Gljpncgc.exe 1644 Hhcmhdke.exe 280 Hhejnc32.exe 3064 Hlafnbal.exe 2980 Hanogipc.exe 380 Hnbopmnm.exe 2284 Iaeegh32.exe 1444 Idcacc32.exe 2240 Ifampo32.exe 2528 Iipiljgf.exe 1656 Ilofhffj.exe 2576 Idfnicfl.exe 1416 Iegjqk32.exe 2104 Jkkija32.exe 2524 Jniefm32.exe 2720 Jagnlkjd.exe 2200 Jdejhfig.exe 2912 Jaijak32.exe 2644 Jckgicnp.exe 2856 Jjdofm32.exe 2680 Kjglkm32.exe 668 Kfnmpn32.exe 1228 Kjihalag.exe 1892 Khlili32.exe 476 Kpcqnf32.exe 320 Kbigpn32.exe 1784 Lkakicam.exe 2596 Lnbdko32.exe 1500 Ldllgiek.exe 2668 Ljieppcb.exe 1780 Lqcmmjko.exe 1604 Lgmeid32.exe 612 Liqoflfh.exe 3044 Lqhfhigj.exe 900 Mfdopp32.exe 760 Mjpkqonj.exe 348 Mmogmjmn.exe 2060 Mbkpeake.exe 1724 Mfglep32.exe 2152 Mejlalji.exe 2472 Mkddnf32.exe 2884 Mnbpjb32.exe 2728 Mfihkoal.exe 2748 Melifl32.exe 2280 Mgjebg32.exe 1996 Mbpipp32.exe 1584 Mgmahg32.exe 2360 Mlhnifmq.exe 1380 Mbbfep32.exe 1008 Maefamlh.exe 1668 Mccbmh32.exe 2916 Mlkjne32.exe 1708 Necogkbo.exe 1596 Nhakcfab.exe -
Loads dropped DLL 64 IoCs
pid Process 2272 b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe 2272 b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe 2156 Fbmfkkbm.exe 2156 Fbmfkkbm.exe 2940 Ffibkj32.exe 2940 Ffibkj32.exe 2756 Fnfcel32.exe 2756 Fnfcel32.exe 2616 Fdpkbf32.exe 2616 Fdpkbf32.exe 2840 Fkjdopeh.exe 2840 Fkjdopeh.exe 2608 Gcheib32.exe 2608 Gcheib32.exe 3024 Gkomjo32.exe 3024 Gkomjo32.exe 1712 Gpabcbdb.exe 1712 Gpabcbdb.exe 1184 Gfkkpmko.exe 1184 Gfkkpmko.exe 2428 Giiglhjb.exe 2428 Giiglhjb.exe 1488 Gljpncgc.exe 1488 Gljpncgc.exe 1644 Hhcmhdke.exe 1644 Hhcmhdke.exe 280 Hhejnc32.exe 280 Hhejnc32.exe 3064 Hlafnbal.exe 3064 Hlafnbal.exe 2980 Hanogipc.exe 2980 Hanogipc.exe 380 Hnbopmnm.exe 380 Hnbopmnm.exe 2284 Iaeegh32.exe 2284 Iaeegh32.exe 1444 Idcacc32.exe 1444 Idcacc32.exe 2240 Ifampo32.exe 2240 Ifampo32.exe 2528 Iipiljgf.exe 2528 Iipiljgf.exe 1656 Ilofhffj.exe 1656 Ilofhffj.exe 2576 Idfnicfl.exe 2576 Idfnicfl.exe 1416 Iegjqk32.exe 1416 Iegjqk32.exe 2104 Jkkija32.exe 2104 Jkkija32.exe 2524 Jniefm32.exe 2524 Jniefm32.exe 2720 Jagnlkjd.exe 2720 Jagnlkjd.exe 2200 Jdejhfig.exe 2200 Jdejhfig.exe 2912 Jaijak32.exe 2912 Jaijak32.exe 2644 Jckgicnp.exe 2644 Jckgicnp.exe 2856 Jjdofm32.exe 2856 Jjdofm32.exe 2680 Kjglkm32.exe 2680 Kjglkm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ljqglfel.dll Bbeded32.exe File opened for modification C:\Windows\SysWOW64\Objaha32.exe Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Aknngo32.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Eknpadcn.exe Elkofg32.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Eacljf32.exe Ecploipa.exe File opened for modification C:\Windows\SysWOW64\Lkjjma32.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Objaha32.exe Oplelf32.exe File created C:\Windows\SysWOW64\Fabaocfl.exe Fcpacf32.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Fimmkm32.dll Mlkjne32.exe File opened for modification C:\Windows\SysWOW64\Oaghki32.exe Ojmpooah.exe File created C:\Windows\SysWOW64\Enemcbio.dll Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Eodicd32.exe File created C:\Windows\SysWOW64\Apnmpn32.dll Eicpcm32.exe File created C:\Windows\SysWOW64\Lpfhdddb.dll Ibacbcgg.exe File opened for modification C:\Windows\SysWOW64\Adaiee32.exe Aacmij32.exe File opened for modification C:\Windows\SysWOW64\Jaijak32.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Dphmloih.exe Dafmqb32.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Khghgchk.exe File created C:\Windows\SysWOW64\Inbnhihl.exe Imaapa32.exe File created C:\Windows\SysWOW64\Hmffen32.dll Njnmbk32.exe File opened for modification C:\Windows\SysWOW64\Odmckcmq.exe Omckoi32.exe File created C:\Windows\SysWOW64\Ppkjac32.exe Piabdiep.exe File opened for modification C:\Windows\SysWOW64\Deakjjbk.exe Dmkcil32.exe File created C:\Windows\SysWOW64\Lpgcln32.dll Jfcabd32.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Adfqgl32.exe File opened for modification C:\Windows\SysWOW64\Dbncjf32.exe Dobgihgp.exe File opened for modification C:\Windows\SysWOW64\Eihgfd32.exe Egikjh32.exe File opened for modification C:\Windows\SysWOW64\Fhdjgoha.exe Fajbke32.exe File created C:\Windows\SysWOW64\Kdpfadlm.exe Kpdjaecc.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bgcbhd32.exe File created C:\Windows\SysWOW64\Aamhcmdo.dll Bnlgbnbp.exe File created C:\Windows\SysWOW64\Amcbankf.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Jeoggjip.dll Lgchgb32.exe File created C:\Windows\SysWOW64\Lmdlck32.dll Bbbpenco.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Eabepp32.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Gqlhkofn.exe Gkoobhhg.exe File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mblbnj32.exe File opened for modification C:\Windows\SysWOW64\Dmkcil32.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Hdpcokdo.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Igqhpj32.exe Iinhdmma.exe File opened for modification C:\Windows\SysWOW64\Bnihdemo.exe Bkklhjnk.exe File created C:\Windows\SysWOW64\Dofphfof.dll Folfoj32.exe File created C:\Windows\SysWOW64\Hcgjmo32.exe Hahnac32.exe File created C:\Windows\SysWOW64\Lgapeogq.dll Hemqpf32.exe File created C:\Windows\SysWOW64\Kkjnnn32.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Imjkpb32.exe Ijkocg32.exe File created C:\Windows\SysWOW64\Nplnekmg.dll Lcdhgn32.exe File created C:\Windows\SysWOW64\Folfoj32.exe Fhbnbpjc.exe File created C:\Windows\SysWOW64\Hahnac32.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Kpgffe32.exe Kjmnjkjd.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qndkpmkm.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Lanbdf32.exe Lkdjglfo.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qdompf32.exe File created C:\Windows\SysWOW64\Mjcaimgg.exe Mkqqnq32.exe File opened for modification C:\Windows\SysWOW64\Gljpncgc.exe Giiglhjb.exe File created C:\Windows\SysWOW64\Mccbmh32.exe Maefamlh.exe File created C:\Windows\SysWOW64\Aaddjiql.dll Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Aodkci32.exe Aijbfo32.exe File created C:\Windows\SysWOW64\Ifigco32.dll Hmmbqegc.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jpbalb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlfjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbigpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anljck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgmigeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilapopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmcchlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhejnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godaakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmepkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhln32.dll" Pmehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imokehhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahanckfm.dll" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklkbele.dll" Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll" Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffibkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlhkbhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocnkj32.dll" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadndbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmdbnnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinhdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fchkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Nhlgmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofjjbcd.dll" Hbidne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddonghfa.dll" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhmofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjeop32.dll" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohndnll.dll" Kgnkci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhlgmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkoicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbogkjn.dll" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkffng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhcegll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjlcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakooqih.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2156 2272 b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe 30 PID 2272 wrote to memory of 2156 2272 b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe 30 PID 2272 wrote to memory of 2156 2272 b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe 30 PID 2272 wrote to memory of 2156 2272 b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe 30 PID 2156 wrote to memory of 2940 2156 Fbmfkkbm.exe 31 PID 2156 wrote to memory of 2940 2156 Fbmfkkbm.exe 31 PID 2156 wrote to memory of 2940 2156 Fbmfkkbm.exe 31 PID 2156 wrote to memory of 2940 2156 Fbmfkkbm.exe 31 PID 2940 wrote to memory of 2756 2940 Ffibkj32.exe 32 PID 2940 wrote to memory of 2756 2940 Ffibkj32.exe 32 PID 2940 wrote to memory of 2756 2940 Ffibkj32.exe 32 PID 2940 wrote to memory of 2756 2940 Ffibkj32.exe 32 PID 2756 wrote to memory of 2616 2756 Fnfcel32.exe 33 PID 2756 wrote to memory of 2616 2756 Fnfcel32.exe 33 PID 2756 wrote to memory of 2616 2756 Fnfcel32.exe 33 PID 2756 wrote to memory of 2616 2756 Fnfcel32.exe 33 PID 2616 wrote to memory of 2840 2616 Fdpkbf32.exe 34 PID 2616 wrote to memory of 2840 2616 Fdpkbf32.exe 34 PID 2616 wrote to memory of 2840 2616 Fdpkbf32.exe 34 PID 2616 wrote to memory of 2840 2616 Fdpkbf32.exe 34 PID 2840 wrote to memory of 2608 2840 Fkjdopeh.exe 35 PID 2840 wrote to memory of 2608 2840 Fkjdopeh.exe 35 PID 2840 wrote to memory of 2608 2840 Fkjdopeh.exe 35 PID 2840 wrote to memory of 2608 2840 Fkjdopeh.exe 35 PID 2608 wrote to memory of 3024 2608 Gcheib32.exe 36 PID 2608 wrote to memory of 3024 2608 Gcheib32.exe 36 PID 2608 wrote to memory of 3024 2608 Gcheib32.exe 36 PID 2608 wrote to memory of 3024 2608 Gcheib32.exe 36 PID 3024 wrote to memory of 1712 3024 Gkomjo32.exe 37 PID 3024 wrote to memory of 1712 3024 Gkomjo32.exe 37 PID 3024 wrote to memory of 1712 3024 Gkomjo32.exe 37 PID 3024 wrote to memory of 1712 3024 Gkomjo32.exe 37 PID 1712 wrote to memory of 1184 1712 Gpabcbdb.exe 38 PID 1712 wrote to memory of 1184 1712 Gpabcbdb.exe 38 PID 1712 wrote to memory of 1184 1712 Gpabcbdb.exe 38 PID 1712 wrote to memory of 1184 1712 Gpabcbdb.exe 38 PID 1184 wrote to memory of 2428 1184 Gfkkpmko.exe 39 PID 1184 wrote to memory of 2428 1184 Gfkkpmko.exe 39 PID 1184 wrote to memory of 2428 1184 Gfkkpmko.exe 39 PID 1184 wrote to memory of 2428 1184 Gfkkpmko.exe 39 PID 2428 wrote to memory of 1488 2428 Giiglhjb.exe 40 PID 2428 wrote to memory of 1488 2428 Giiglhjb.exe 40 PID 2428 wrote to memory of 1488 2428 Giiglhjb.exe 40 PID 2428 wrote to memory of 1488 2428 Giiglhjb.exe 40 PID 1488 wrote to memory of 1644 1488 Gljpncgc.exe 41 PID 1488 wrote to memory of 1644 1488 Gljpncgc.exe 41 PID 1488 wrote to memory of 1644 1488 Gljpncgc.exe 41 PID 1488 wrote to memory of 1644 1488 Gljpncgc.exe 41 PID 1644 wrote to memory of 280 1644 Hhcmhdke.exe 42 PID 1644 wrote to memory of 280 1644 Hhcmhdke.exe 42 PID 1644 wrote to memory of 280 1644 Hhcmhdke.exe 42 PID 1644 wrote to memory of 280 1644 Hhcmhdke.exe 42 PID 280 wrote to memory of 3064 280 Hhejnc32.exe 43 PID 280 wrote to memory of 3064 280 Hhejnc32.exe 43 PID 280 wrote to memory of 3064 280 Hhejnc32.exe 43 PID 280 wrote to memory of 3064 280 Hhejnc32.exe 43 PID 3064 wrote to memory of 2980 3064 Hlafnbal.exe 44 PID 3064 wrote to memory of 2980 3064 Hlafnbal.exe 44 PID 3064 wrote to memory of 2980 3064 Hlafnbal.exe 44 PID 3064 wrote to memory of 2980 3064 Hlafnbal.exe 44 PID 2980 wrote to memory of 380 2980 Hanogipc.exe 45 PID 2980 wrote to memory of 380 2980 Hanogipc.exe 45 PID 2980 wrote to memory of 380 2980 Hanogipc.exe 45 PID 2980 wrote to memory of 380 2980 Hanogipc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe"C:\Users\Admin\AppData\Local\Temp\b741ed6ccfff152cb62deeae0fdb99284dbbc0da536193b6254c84cbfdc720b1N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe33⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe35⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:476 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe40⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe42⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe44⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe45⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe46⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe50⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe51⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe52⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe53⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe54⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe55⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe56⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe58⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe59⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe60⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe64⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe65⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe66⤵PID:2292
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe67⤵PID:1632
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe70⤵PID:1512
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe71⤵PID:1504
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe72⤵PID:2892
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe73⤵PID:2500
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe74⤵PID:1908
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe75⤵PID:1720
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe76⤵PID:592
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe77⤵PID:2236
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe78⤵PID:2900
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe79⤵PID:1224
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe80⤵PID:3048
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe81⤵PID:1484
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe83⤵PID:1828
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe84⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe85⤵PID:300
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe87⤵PID:1240
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe88⤵PID:2700
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe89⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe90⤵PID:2340
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe91⤵PID:2904
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe92⤵PID:1520
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe93⤵PID:1688
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe94⤵PID:1384
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe95⤵PID:1824
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe96⤵PID:1732
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe97⤵PID:1616
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe98⤵PID:1248
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe99⤵PID:888
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe100⤵PID:2096
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe101⤵PID:1004
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe102⤵PID:1896
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe103⤵PID:2312
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe104⤵PID:268
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe105⤵PID:1108
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe107⤵PID:2800
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe108⤵PID:2724
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe109⤵PID:2880
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe110⤵
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe111⤵PID:1912
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe112⤵PID:2432
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe113⤵PID:1168
-
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe114⤵PID:1044
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe115⤵PID:2696
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe116⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe117⤵PID:2164
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe118⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe119⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe120⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe121⤵PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-